diff --git a/packages/auditd/3.1.0/changelog.yml b/packages/auditd/3.1.0/changelog.yml new file mode 100755 index 0000000000..56a6b527ef --- /dev/null +++ b/packages/auditd/3.1.0/changelog.yml @@ -0,0 +1,130 @@ +# newer versions go on top +- version: "3.1.0" + changes: + - description: Change title to Auditd Logs + type: enhancement + link: https://github.com/elastic/integrations/pull/2763 +- version: "3.0.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3246 +- version: "2.2.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "2.1.2" + changes: + - description: Set event.outcome value according ECS specification + type: bugfix + link: https://github.com/elastic/integrations/pull/3079 +- version: "2.1.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.1.0" + changes: + - description: Store EXECVE arguments in process.args array. + type: enhancement + link: https://github.com/elastic/integrations/pull/2730 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2380 + - description: process.ppid is replaced with process.parent.pid (breaking change) + type: enhancement + link: https://github.com/elastic/integrations/pull/2380 +- version: "1.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.0" + changes: + - description: Change test IPs to the supported set for GeoIP + type: enhancement + link: https://github.com/elastic/integrations/pull/2215 + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2215 +- version: "1.2.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2002 +- version: "1.2.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1938 +- version: "1.2.2" + changes: + - description: Ensure boolean fields are true/false + type: bugfix + link: https://github.com/elastic/integrations/pull/1896 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1796 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1637 +- version: "1.1.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1464 +- version: '1.1.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1370 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1215 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1215 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and apply changes to prepare for package GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1031 +- version: "0.1.2" + changes: + - description: set version in the ingest pipeline and make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/989 +- version: "0.1.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/833 +- version: "0.1.0" + changes: + - description: Add changes to use ECS 1.8 fields. + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/715 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/396 diff --git a/packages/auditd/3.1.0/data_stream/log/agent/stream/log.yml.hbs b/packages/auditd/3.1.0/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..c6e5ed4c73 --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +exclude_files: [".gz$"] +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/auditd/3.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/auditd/3.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..36116791ce --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2243 @@ +--- +description: Pipeline for parsing Linux auditd logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_failure: true + - grok: + field: event.original + pattern_definitions: + AUDIT_TYPE: "type=%{NOTSPACE:auditd.log.record_type}" + AUDIT_NODE: "node=%{IPORHOST:auditd.log.node} " + AUDIT_PREFIX: "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" + AUDIT_KEY_VALUES: "%{WORD}=%{GREEDYDATA}" + ANY: ".*" + patterns: + - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} + new auid=%{NUMBER:auditd.log.new_auid} old ses=%{NUMBER:auditd.log.old_ses} + new ses=%{NUMBER:auditd.log.new_ses}" + - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} msg=['\"]([^=]*\\s)?%{ANY:auditd.log.sub_kv}['\"]" + - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv}" + - "%{AUDIT_PREFIX}" + - "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}" + - kv: + field: auditd.log.kv + field_split: "\\s+" + value_split: "=" + target_field: auditd.log + - kv: + field: auditd.log.sub_kv + field_split: "\\s+(?=[^\\s]+=)" + value_split: "=" + target_field: auditd.log + ignore_missing: true + - date: + field: auditd.log.epoch + target_field: "@timestamp" + formats: + - UNIX + ignore_failure: true + - rename: + ignore_failure: true + field: auditd.log.old-auid + target_field: auditd.log.old_auid + - rename: + ignore_failure: true + field: auditd.log.old-ses + target_field: auditd.log.old_ses + - script: + lang: painless + source: | + String trimQuotes(def singleQuote, def doubleQuote, def v) { + if (v.startsWith(singleQuote) || v.startsWith(doubleQuote)) { + v = v.substring(1, v.length()); + } + if (v.endsWith(singleQuote) || v.endsWith(doubleQuote)) { + v = v.substring(0, v.length()-1); + } + return v; + } + + boolean isHexAscii(String v) { + def len = v.length(); + + if (len == 0 || len % 2 != 0) { + return false; + } + + for (int i = 0 ; i < len ; i++) { + if (Character.digit(v.charAt(i), 16) == -1) { + return false; + } + } + return true; + } + + String convertHexToString(String hex) { + StringBuilder sb = new StringBuilder(); + boolean needed_encoding = false; + + for (int i=0; i < hex.length() - 1; i+=2) { + int cp = Integer.parseInt(hex.substring(i, (i +2)), 16); + if (cp < 33 || cp == 34 || cp == 127) { + needed_encoding = true; + } + if (cp < 32 || cp == 127) { + sb.append('^'); + cp ^= 64; + } + sb.append((char)cp); + } + if (needed_encoding) { + return sb.toString(); + } + return hex; + } + + Boolean convertStringToBoolean(String value) { + value = value.toLowerCase(); + return value == "yes" || value == "true" || value == "1"; + } + + def possibleHexKeys = ["exe", "cmd", "data", "path", "comm", "file", "name", "watch", "cwd", "acct", "dir", "vm", "old-chardev", "new-chardev", "old-disk", "new-disk", "old-fs", "new-fs", "old-net", "new-net", "device", "cgroup", "apparmor", "operation", "denied_mask", "info", "profile", "requested_mask", "old-rng", "new-rng", "ocomm", "grp", "new_group", "invalid_context", "sw", "root_dir", "proctitle"]; + def possibleBooleanKeys = ["success", "key_enforce"]; + def audit = ctx.auditd.get("log"); + Iterator entries = audit.entrySet().iterator(); + + while (entries.hasNext()) { + def e = entries.next(); + def k = e.getKey(); + def v = e.getValue(); + + // Remove entries whose value is ? + if (v == "?" || v == "(null)" || v == "") { + entries.remove(); + continue; + } + + // Convert hex values to ASCII. + if (possibleHexKeys.contains(k) && isHexAscii(v)) { + v = convertHexToString(v); + audit.put(k, v); + } + + // Convert string values to boolean. + if (possibleBooleanKeys.contains(k) && v instanceof String) { + v = convertStringToBoolean(v); + audit.put(k, v); + } + + // Trim quotes. + if (v instanceof String) { + v = trimQuotes(params.single_quote, params.double_quote, v); + audit.put(k, v); + } + + // Convert arch. + if (k == "arch" && v == "c000003e") { + audit.put(k, "x86_64"); + } + } + params: + single_quote: "'" + double_quote: "\"" + - convert: + field: auditd.log.sequence + type: long + ignore_missing: true + - convert: + field: auditd.log.lport + type: long + ignore_missing: true + - convert: + field: auditd.log.rport + type: long + ignore_missing: true + - convert: + field: auditd.log.entries + type: long + ignore_missing: true + - convert: + field: auditd.log.dst_prefixlen + type: long + ignore_missing: true + - convert: + field: auditd.log.ksize + type: long + ignore_missing: true + - convert: + field: auditd.log.size + type: long + ignore_missing: true + - convert: + field: auditd.log.src_prefixlen + type: long + ignore_missing: true + - set: + field: event.kind + value: event + - script: + lang: painless + ignore_failure: true + # Auditd record type to ECS mappings + # AUTOGENERATED FROM go-libaudit v2.2.0, DO NOT EDIT + params: + syscalls: + '*': + - event: + category: + - process + type: + - info + accept: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + accept4: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + access: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + adjtimex: + - event: + action: + - changed-system-time + category: + - host + type: + - change + bind: + - event: + action: + - bound-socket + category: + - network + type: + - start + brk: + - event: + action: + - allocated-memory + category: + - process + type: + - info + chmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + chown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + clock_settime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + connect: + - event: + action: + - connected-to + category: + - network + type: + - connection + - start + creat: + - event: + action: + - opened-file + category: + - file + type: + - creation + delete_module: + - event: + action: + - unloaded-kernel-module + category: + - driver + type: + - end + execve: + - event: + action: + - executed + category: + - process + type: + - start + execveat: + - event: + action: + - executed + category: + - process + type: + - start + faccessat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fallocate: + - event: + action: + - opened-file + category: + - file + type: + - change + fchmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchmodat: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fchownat: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + finit_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + fremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + ftruncate: + - event: + action: + - opened-file + category: + - file + type: + - change + futimens: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + futimesat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + getxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + init_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + kill: + - event: + action: + - killed-pid + category: + - process + type: + - end + lchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + lgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + listen: + - event: + action: + - listen-for-connections + category: + - network + type: + - start + lremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + mkdir: + - event: + action: + - created-directory + category: + - file + type: + - creation + mkdirat: + - event: + action: + - created-directory + category: + - file + type: + - creation + mknod: + - event: + action: + - make-device + category: + - file + type: + - creation + mknodat: + - event: + action: + - make-device + category: + - file + type: + - creation + mmap: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mmap2: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mount: + - event: + action: + - mounted + category: + - file + type: + - creation + newfstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + open: + - event: + action: + - opened-file + category: + - file + type: + - info + openat: + - event: + action: + - opened-file + category: + - file + type: + - info + read: + - event: + action: + - read-file + category: + - file + type: + - info + readlink: + - event: + action: + - opened-file + category: + - file + type: + - info + readlinkat: + - event: + action: + - opened-file + category: + - file + type: + - info + recv: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvfrom: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + removexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + rename: + - event: + action: + - renamed + category: + - file + type: + - change + renameat: + - event: + action: + - renamed + category: + - file + type: + - change + renameat2: + - event: + action: + - renamed + category: + - file + type: + - change + rmdir: + - event: + action: + - deleted + category: + - file + type: + - deletion + sched_setattr: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setparam: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setscheduler: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + send: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendto: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + setdomainname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setegid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + seteuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + sethostname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setregid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setreuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + settimeofday: + - event: + action: + - changed-system-time + category: + - host + type: + - change + setuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + stat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + stat64: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + statfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + stime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + symlink: + - event: + action: + - symlinked + category: + - file + type: + - creation + symlinkat: + - event: + action: + - symlinked + category: + - file + type: + - creation + tgkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + tkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + truncate: + - event: + action: + - opened-file + category: + - file + type: + - change + umount: + - event: + action: + - unmounted + category: + - file + type: + - deletion + umount2: + - event: + action: + - unmounted + category: + - file + type: + - deletion + unlink: + - event: + action: + - deleted + category: + - file + type: + - deletion + unlinkat: + - event: + action: + - deleted + category: + - file + type: + - deletion + utime: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimensat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimes: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + write: + - event: + action: + - wrote-to-file + category: + - file + type: + - change + types: + ACCT_LOCK: + - event: + action: + - locked-account + category: + - iam + type: + - user + - info + ACCT_UNLOCK: + - event: + action: + - unlocked-account + category: + - iam + type: + - user + - info + ADD_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - added-group-account-to + category: + - iam + type: + - group + - creation + ADD_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - added-user-account + category: + - iam + type: + - user + - creation + ANOM_ABEND: + - event: + action: + - crashed-program + category: + - process + type: + - end + ANOM_EXEC: + - event: + action: + - attempted-execution-of-forbidden-program + category: + - process + type: + - start + ANOM_LINK: + - event: + action: + - used-suspicious-link + ANOM_LOGIN_FAILURES: + - event: + action: + - failed-log-in-too-many-times-to + ANOM_LOGIN_LOCATION: + - event: + action: + - attempted-log-in-from-unusual-place-to + ANOM_LOGIN_SESSIONS: + - event: + action: + - opened-too-many-sessions-to + ANOM_LOGIN_TIME: + - event: + action: + - attempted-log-in-during-unusual-hour-to + ANOM_PROMISCUOUS: + - event: + action: + - changed-promiscuous-mode-on-device + ANOM_RBAC_INTEGRITY_FAIL: + - event: + action: + - tested-file-system-integrity-of + AVC: + - event: + action: + - violated-selinux-policy + has_fields: + - seresult + - event: + action: + - violated-apparmor-policy + has_fields: + - apparmor + CHGRP_ID: + - event: + action: + - changed-group + category: + - process + type: + - change + CHUSER_ID: + - event: + action: + - changed-user-id + category: + - process + type: + - change + CONFIG_CHANGE: + - event: + action: + - changed-audit-configuration + category: + - process + - configuration + type: + - change + CRED_ACQ: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - acquired-credentials + category: + - authentication + type: + - info + CRED_DISP: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - disposed-credentials + category: + - authentication + type: + - info + CRED_REFR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - refreshed-credentials + category: + - authentication + type: + - info + CRYPTO_KEY_USER: + - event: + action: + - negotiated-crypto-key + category: + - process + type: + - info + CRYPTO_LOGIN: + - event: + action: + - crypto-officer-logged-in + CRYPTO_LOGOUT: + - event: + action: + - crypto-officer-logged-out + category: + - process + type: + - info + CRYPTO_SESSION: + - event: + action: + - started-crypto-session + category: + - process + type: + - info + DAC_CHECK: + - event: + action: + - access-result + DAEMON_ABORT: + - event: + action: + - aborted-auditd-startup + category: + - process + type: + - stop + DAEMON_ACCEPT: + - event: + action: + - remote-audit-connected + category: + - network + type: + - connection + - start + DAEMON_CLOSE: + - event: + action: + - remote-audit-disconnected + category: + - network + type: + - connection + - start + DAEMON_CONFIG: + - event: + action: + - changed-auditd-configuration + category: + - process + - configuration + type: + - change + DAEMON_END: + - event: + action: + - shutdown-audit + category: + - process + type: + - stop + DAEMON_ERR: + - event: + action: + - audit-error + category: + - process + type: + - info + DAEMON_RECONFIG: + - event: + action: + - reconfigured-auditd + category: + - process + - configuration + type: + - info + DAEMON_RESUME: + - event: + action: + - resumed-audit-logging + category: + - process + type: + - change + DAEMON_ROTATE: + - event: + action: + - rotated-audit-logs + category: + - process + type: + - change + DAEMON_START: + - event: + action: + - started-audit + category: + - process + type: + - start + DEL_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - deleted-group-account-from + category: + - iam + type: + - group + - deletion + DEL_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - deleted-user-account + category: + - iam + type: + - user + - deletion + FEATURE_CHANGE: + - event: + action: + - changed-audit-feature + category: + - configuration + type: + - change + FS_RELABEL: + - event: + action: + - relabeled-filesystem + GRP_AUTH: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + event: + action: + - authenticated-to-group + category: + - authentication + type: + - info + GRP_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: group + event: + action: + - changed-group-password + category: + - iam + type: + - group + - change + GRP_MGMT: + - copy: + - from: + - auid + to: user + - from: + - uid + to: group + - from: + - uid + to: user.effective + event: + action: + - modified-group-account + category: + - iam + type: + - group + - change + KERNEL: + - event: + action: + - initialized-audit-subsystem + category: + - process + type: + - info + KERN_MODULE: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + LABEL_LEVEL_CHANGE: + - event: + action: + - modified-level-of + LABEL_OVERRIDE: + - event: + action: + - overrode-label-of + LOGIN: + - copy: + - from: + - old_auid + - old-auid + to: user + - from: + - new-auid + - new_auid + - auid + to: user.effective + event: + action: + - changed-login-id-to + category: + - authentication + type: + - start + MAC_CHECK: + - event: + action: + - mac-permission + MAC_CONFIG_CHANGE: + - event: + action: + - changed-selinux-boolean + category: + - configuration + type: + - change + MAC_POLICY_LOAD: + - event: + action: + - loaded-selinux-policy + category: + - configuration + type: + - access + MAC_STATUS: + - event: + action: + - changed-selinux-enforcement + category: + - configuration + type: + - change + NETFILTER_CFG: + - event: + action: + - loaded-firewall-rule-to + category: + - configuration + type: + - change + ROLE_ASSIGN: + - event: + action: + - assigned-user-role-to + category: + - iam + type: + - user + - change + ROLE_MODIFY: + - event: + action: + - modified-role + category: + - iam + type: + - change + ROLE_REMOVE: + - event: + action: + - removed-user-role-from + category: + - iam + type: + - user + - change + SECCOMP: + - event: + action: + - violated-seccomp-policy + SELINUX_ERR: + - event: + action: + - caused-mac-policy-error + SERVICE_START: + - event: + action: + - started-service + category: + - process + type: + - start + SERVICE_STOP: + - event: + action: + - stopped-service + category: + - process + type: + - stop + SOFTWARE_UPDATE: + - event: + action: + - package-updated + category: + - package + type: + - info + SYSTEM_BOOT: + - event: + action: + - booted-system + category: + - host + type: + - start + SYSTEM_RUNLEVEL: + - event: + action: + - changed-to-runlevel + category: + - host + type: + - change + SYSTEM_SHUTDOWN: + - event: + action: + - shutdown-system + category: + - host + type: + - end + TEST: + - event: + action: + - sent-test + category: + - process + type: + - info + TRUSTED_APP: + - event: + action: + - unknown + category: + - process + type: + - info + TTY: + - event: + action: + - typed + USER: + - event: + action: + - sent-message + USER_ACCT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - was-authorized + category: + - authentication + type: + - info + USER_AUTH: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - authenticated + category: + - authentication + type: + - info + USER_AVC: + - event: + action: + - access-permission + USER_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: user.target + event: + action: + - changed-password + category: + - iam + type: + - user + - change + USER_CMD: + - event: + action: + - ran-command + category: + - process + type: + - start + USER_END: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - ended-session + category: + - session + type: + - end + USER_ERR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - error + category: + - authentication + type: + - info + USER_LOGIN: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-in + category: + - authentication + type: + - start + USER_LOGOUT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-out + category: + - authentication + type: + - end + USER_MAC_CONFIG_CHANGE: + - event: + action: + - changed-mac-configuration + category: + - configuration + type: + - change + USER_MAC_POLICY_LOAD: + - event: + action: + - loaded-mac-policy + category: + - configuration + type: + - access + USER_MGMT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.target + - from: + - uid + to: user.effective + event: + action: + - modified-user-account + category: + - iam + type: + - user + - change + USER_ROLE_CHANGE: + - event: + action: + - changed-role-to + USER_SELINUX_ERR: + - event: + action: + - access-error + USER_START: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - started-session + category: + - session + type: + - start + USER_TTY: + - event: + action: + - typed + USYS_CONFIG: + - event: + action: + - changed-configuration + category: + - configuration + type: + - change + VIRT_CONTROL: + - event: + action: + - issued-vm-control + category: + - host + type: + - info + VIRT_CREATE: + - event: + action: + - created-vm-image + category: + - host + type: + - info + VIRT_DESTROY: + - event: + action: + - deleted-vm-image + category: + - host + type: + - info + VIRT_INTEGRITY_CHECK: + - event: + action: + - checked-integrity-of + category: + - host + type: + - info + VIRT_MACHINE_ID: + - event: + action: + - assigned-vm-id + category: + - host + type: + - info + VIRT_MIGRATE_IN: + - event: + action: + - migrated-vm-from + category: + - host + type: + - info + VIRT_MIGRATE_OUT: + - event: + action: + - migrated-vm-to + category: + - host + type: + - info + VIRT_RESOURCE: + - event: + action: + - assigned-vm-resource + category: + - host + type: + - info + # END OF AUTOGENERATED + source: >- + boolean hasFields(HashMap base, def list) { + if (list == null) return true; + for (int i=0; i ctx.event[k] = v); + } + if (act?.copy != null) { + List lst = new ArrayList(); + for(int i=0; i 0) { + ctx.auditd.log["copy"] = lst; + } + } + - foreach: + field: auditd.log.copy + ignore_missing: true + processor: + set: + field: "{{_ingest._value.target}}" + value: "{{_ingest._value.value}}" + - set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.category + value: host + - set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.type + value: info + - set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.category + value: process + - set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: info + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: event.category + value: host + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'start'" + field: event.type + value: start + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'stop'" + field: event.type + value: end + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'create'" + field: event.type + value: creation + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'delete'" + field: event.type + value: deletion + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: event.type + value: creation + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: container.name + value: "{{ auditd.log.vm }}" + ignore_empty_value: true + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: container.runtime + value: "{{ auditd.log.virt }}" + ignore_empty_value: true + - set: + if: > + ctx.auditd.log?.record_type == 'SYSCALL' && ( + ctx.auditd.log?.syscall == 'accept' || ctx.auditd.log?.syscall == '43' || + ctx.auditd.log?.syscall == 'recvfrom' || ctx.auditd.log?.syscall == '45' || + ctx.auditd.log?.syscall == 'recvmsg' || ctx.auditd.log?.syscall == '47' || + ctx.auditd.log?.syscall == 'accept4' || ctx.auditd.log?.syscall == '288' ) + field: network.direction + value: ingress + - set: + if: > + ctx.auditd.log?.record_type == 'SYSCALL' && ( + ctx.auditd.log?.syscall == 'connect' || ctx.auditd.log?.syscall == '42' || + ctx.auditd.log?.syscall == 'sendto' || ctx.auditd.log?.syscall == '44' || + ctx.auditd.log?.syscall == 'sendmsg' || ctx.auditd.log?.syscall == '46') + field: network.direction + value: egress + - set: + copy_from: auditd.log.arch + field: host.architecture + if: ctx.auditd.log?.arch != null + - rename: + ignore_failure: true + field: auditd.log.acct + target_field: user.name + - rename: + ignore_failure: true + field: auditd.log.user + target_field: user.name + - rename: + ignore_failure: true + field: auditd.log.uid + target_field: user.id + - rename: + ignore_failure: true + field: auditd.log.gid + target_field: user.group.id + - rename: + ignore_failure: true + field: auditd.log.agid + target_field: user.audit.group.id + - rename: + ignore_failure: true + field: auditd.log.auid + target_field: user.audit.id + - rename: + ignore_failure: true + field: auditd.log.fsgid + target_field: user.filesystem.group.id + - rename: + ignore_failure: true + field: auditd.log.fsuid + target_field: user.filesystem.id + - rename: + ignore_failure: true + field: auditd.log.egid + target_field: user.effective.group.id + - rename: + ignore_failure: true + field: auditd.log.euid + target_field: user.effective.id + - rename: + ignore_failure: true + field: auditd.log.sgid + target_field: user.saved.group.id + - rename: + ignore_failure: true + field: auditd.log.suid + target_field: user.saved.id + - rename: + ignore_failure: true + field: auditd.log.ogid + target_field: user.owner.group.id + - rename: + ignore_failure: true + field: auditd.log.ouid + target_field: user.owner.id + - rename: + ignore_failure: true + field: auditd.log.comm + target_field: process.name + - rename: + ignore_failure: true + field: auditd.log.exe + target_field: process.executable + - rename: + ignore_failure: true + field: auditd.log.pid + target_field: process.pid + - rename: + ignore_failure: true + field: auditd.log.ppid + target_field: process.parent.pid + - convert: + ignore_missing: true + field: process.pid + type: long + - convert: + ignore_missing: true + field: process.parent.pid + type: long + - rename: + ignore_failure: true + field: auditd.log.cmd + target_field: process.args + - split: + ignore_failure: true + field: process.args + separator: "\\s+" + - rename: + ignore_failure: true + field: auditd.log.argc + target_field: process.args_count + - script: + if: "ctx?.process?.args != null" + lang: painless + source: >- + if (ctx.process.args instanceof List) { + ctx.process.args_count = ctx.process.args.length; + } + - convert: + ignore_missing: true + field: process.args_count + type: long + - rename: + ignore_failure: true + field: auditd.log.exit + target_field: process.exit_code + - convert: + ignore_missing: true + field: process.exit_code + type: long + - rename: + ignore_missing: true + field: auditd.log.cwd + target_field: process.working_directory + - rename: + ignore_failure: true + field: auditd.log.terminal + target_field: user.terminal + - rename: + ignore_failure: true + field: auditd.log.msg + target_field: message + - set: + if: (ctx?.auditd?.log?.res != null && ["1", "success"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "success" + ignore_failure: true + - set: + if: (ctx?.auditd?.log?.res != null && ["0", "failed"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "failure" + ignore_failure: true + - set: + if: (ctx?.auditd?.log?.res != null && !["0", "1", "success", "failed"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "unknown" + ignore_failure: true + # The processor below populates process.args list from argN fields. + # + # It handles the common case of a complete record: Contains argc=N and a0 to aN-1, + # and the truncated case: Contains aI, aI+1, ..., aN-1, for I>0, and no argc. + - script: + lang: painless + description: Extracts process arguments from EXECVE calls. + if: 'ctx.auditd?.log?.record_type == "EXECVE"' + source: >- + /* Want to capture all aNN fields, including aN_len and aN[x] */ + Pattern argRegex = /^a([0-9]+)(.*)$/; + + List keys = ctx.auditd.log.keySet().stream() + /* From List of keys to list of matchers */ + .map(x -> argRegex.matcher(x)) + /* Drop elements that didn't match the regex */ + .filter(x -> x.matches()) + /* Must save to a list because it needs to remove keys in auditd.log, + which cannot be done while streaming from this source */ + .collect(Collectors.toList()); + + List args = keys.stream() + /* List to List<[Matcher, Value for given key]> + with side effect of removing the key */ + .map(x -> [x, ctx.auditd.log.remove(x.group(0))]) + /* Drop elements that end in _len, just wanted to remove them */ + .filter(x -> x[0].group(2) != "_len") + /* List to List<[Int, Value]> + where the Int is the argument index */ + .map(x -> [Integer.parseInt(x[0].group(1)), x[1]]) + /* Sort by numeric argument index */ + .sorted((lhs, rhs) -> lhs[0].compareTo(rhs[0])) + /* Save as List<[Index, Value]> */ + .collect(Collectors.toList()); + + if (args.isEmpty()) return; + if (ctx.process == null) ctx.process = new HashMap(); + ctx.process.args = args.stream().map(x -> x[1]).collect(Collectors.toList()); + def firstIndex = args[0][0]; + if (firstIndex == 0) { + ctx.process.executable = ctx.process.args[0]; + } else { + ctx.process.args.add(0, "[... " + firstIndex + " truncated arguments ...]"); + } + on_failure: + - append: + field: error.message + value: "failed extracting process arguments: {{{ _ingest.on_failure_message }}}" + - rename: + ignore_failure: true + field: auditd.log.record_type + target_field: event.action + - lowercase: + ignore_failure: true + field: event.action + - rename: + ignore_failure: true + field: auditd.log.src + target_field: source.address + - rename: + ignore_failure: true + field: auditd.log.addr + target_field: source.address + if: ctx?.source?.address == null + - rename: + ignore_failure: true + field: auditd.log.dst + target_field: destination.address + - grok: + field: source.address + patterns: + - "^%{IP:source.ip}$" + ignore_failure: true + - geoip: + field: source.ip + target_field: source.geo + ignore_failure: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: + - auditd.log.kv + - auditd.log.sub_kv + - auditd.log.epoch + - auditd.log.copy + - auditd.log.arch + - auditd.log.res + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/auditd/3.1.0/data_stream/log/fields/agent.yml b/packages/auditd/3.1.0/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/auditd/3.1.0/data_stream/log/fields/base-fields.yml b/packages/auditd/3.1.0/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..5e4ff67d8d --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/fields/base-fields.yml @@ -0,0 +1,25 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: auditd +- name: event.dataset + type: constant_keyword + description: Event dataset + value: auditd.log +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/auditd/3.1.0/data_stream/log/fields/ecs.yml b/packages/auditd/3.1.0/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..8ec2a65561 --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/fields/ecs.yml @@ -0,0 +1,196 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Unique identifier for the group on the system/platform. + name: user.effective.group.id + type: keyword +- description: Name of the group. + name: user.effective.group.name + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/auditd/3.1.0/data_stream/log/fields/fields.yml b/packages/auditd/3.1.0/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..90ad2435ae --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/fields/fields.yml @@ -0,0 +1,185 @@ +- name: auditd.log + type: group + default_field: false + fields: + - name: old_auid + type: keyword + description: | + For login events this is the old audit ID used for the user prior to this login. + - name: new_auid + type: keyword + description: | + For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). + - name: old_ses + type: keyword + description: | + For login events this is the old session ID used for the user prior to this login. + - name: new_ses + type: keyword + description: | + For login events this is the new session ID. It can be used to tie a user to future events by session ID. + - name: sequence + type: long + description: | + The audit event sequence number. + - name: items + type: keyword + description: | + The number of items in an event. + - name: item + type: keyword + description: | + The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. + - name: tty + type: keyword + - name: a0 + type: keyword + description: | + The first argument to the system call. + - name: a0 + description: The first argument to the system call. + type: keyword + - name: addr + type: ip + - name: rport + type: long + - name: laddr + type: ip + - name: lport + type: long + - name: entries + type: long + - name: audit_failure + type: keyword + - name: cipher + type: keyword + - name: data + type: keyword + - name: dev + type: keyword + - name: fe + type: keyword + - name: fi + type: keyword + - name: fp + type: keyword + - name: format + type: keyword + - name: default-context + type: keyword + - name: direction + type: keyword + - name: dst_prefixlen + type: long + - name: family + type: keyword + - name: fver + type: keyword + - name: gpg_res + type: keyword + - name: hostname + type: keyword + - name: id + type: keyword + - name: inode + type: keyword + - name: kernel + type: keyword + - name: key_enforce + type: boolean + - name: img-ctx + type: keyword + - name: kind + type: keyword + - name: ksize + type: long + - name: list + type: keyword + - name: major + type: keyword + - name: minor + type: keyword + - name: mode + type: keyword + - name: model + type: keyword + - name: name + type: keyword + - name: new-level + type: keyword + - name: new_pe + type: keyword + - name: new_pi + type: keyword + - name: new_pp + type: keyword + - name: old-level + type: keyword + - name: old_pe + type: keyword + - name: old_pi + type: keyword + - name: old_pp + type: keyword + - name: node + type: keyword + - name: obj + type: keyword + - name: objtype + type: keyword + - name: old + type: keyword + - name: op + type: keyword + - name: pfs + type: keyword + - name: proctitle + type: keyword + - name: rdev + type: keyword + - name: reason + type: keyword + - name: root_dir + type: keyword + - name: saddr + type: keyword + - name: selected-context + type: keyword + - name: ses + type: keyword + - name: spid + type: keyword + - name: src_prefixlen + type: long + - name: subj + type: keyword + - name: success + type: boolean + - name: sw + type: keyword + - name: sw_type + type: keyword + - name: syscall + type: keyword + - name: table + type: keyword + - name: unit + type: keyword + - name: uuid + type: keyword + - name: ver + type: keyword + - name: virt + type: keyword + - name: vm + type: keyword + - name: vm-ctx + type: keyword + - name: geoip + type: group + - name: uid + type: keyword + - name: record_type + type: keyword + - name: reset + type: keyword diff --git a/packages/auditd/3.1.0/data_stream/log/fields/package-fields.yml b/packages/auditd/3.1.0/data_stream/log/fields/package-fields.yml new file mode 100755 index 0000000000..208d48ec1f --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/fields/package-fields.yml @@ -0,0 +1,104 @@ +- name: user + type: group + fields: + - name: terminal + type: keyword + description: | + Terminal or tty device on which the user is performing the observed activity. + - name: audit + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. + - name: effective + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. + - name: filesystem + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. + - name: owner + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. + - name: saved + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. +- name: auditd + type: group diff --git a/packages/auditd/3.1.0/data_stream/log/manifest.yml b/packages/auditd/3.1.0/data_stream/log/manifest.yml new file mode 100755 index 0000000000..285926867f --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/manifest.yml @@ -0,0 +1,41 @@ +type: logs +title: Auditd logs +streams: + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/audit/audit.log* + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - auditd-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Auditd logs + description: Collect Auditd logs using log input diff --git a/packages/auditd/3.1.0/data_stream/log/sample_event.json b/packages/auditd/3.1.0/data_stream/log/sample_event.json new file mode 100755 index 0000000000..7b84a0d9d1 --- /dev/null +++ b/packages/auditd/3.1.0/data_stream/log/sample_event.json @@ -0,0 +1,70 @@ +{ + "@timestamp": "2016-01-03T00:37:51.394Z", + "agent": { + "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772", + "hostname": "docker-fleet-agent", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "auditd": { + "log": { + "proctitle": "bash", + "sequence": 194438 + } + }, + "data_stream": { + "dataset": "auditd.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "proctitle", + "agent_id_status": "verified", + "dataset": "auditd.log", + "ingested": "2022-04-13T05:23:36Z", + "kind": "event" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "172.19.0.7" + ], + "mac": [ + "02:42:ac:13:00:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/audit.log" + }, + "offset": 1706 + }, + "tags": [ + "auditd-log" + ] +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/docs/README.md b/packages/auditd/3.1.0/docs/README.md new file mode 100755 index 0000000000..85f343c361 --- /dev/null +++ b/packages/auditd/3.1.0/docs/README.md @@ -0,0 +1,277 @@ +# Auditd Logs Integration + +The Auditd Logs integration collects and parses logs from the audit daemon (`auditd`). + +## Compatibility + +The integration was tested with logs from `auditd` on OSes like CentOS 6 and CentOS 7. + +This integration is not available for Windows. + +## Auditd Logs + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2016-01-03T00:37:51.394Z", + "agent": { + "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772", + "hostname": "docker-fleet-agent", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "auditd": { + "log": { + "proctitle": "bash", + "sequence": 194438 + } + }, + "data_stream": { + "dataset": "auditd.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "proctitle", + "agent_id_status": "verified", + "dataset": "auditd.log", + "ingested": "2022-04-13T05:23:36Z", + "kind": "event" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "172.19.0.7" + ], + "mac": [ + "02:42:ac:13:00:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/audit.log" + }, + "offset": 1706 + }, + "tags": [ + "auditd-log" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| auditd.log.a0 | The first argument to the system call. | keyword | +| auditd.log.addr | | ip | +| auditd.log.audit_failure | | keyword | +| auditd.log.cipher | | keyword | +| auditd.log.data | | keyword | +| auditd.log.default-context | | keyword | +| auditd.log.dev | | keyword | +| auditd.log.direction | | keyword | +| auditd.log.dst_prefixlen | | long | +| auditd.log.entries | | long | +| auditd.log.family | | keyword | +| auditd.log.fe | | keyword | +| auditd.log.fi | | keyword | +| auditd.log.format | | keyword | +| auditd.log.fp | | keyword | +| auditd.log.fver | | keyword | +| auditd.log.gpg_res | | keyword | +| auditd.log.hostname | | keyword | +| auditd.log.id | | keyword | +| auditd.log.img-ctx | | keyword | +| auditd.log.inode | | keyword | +| auditd.log.item | The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. | keyword | +| auditd.log.items | The number of items in an event. | keyword | +| auditd.log.kernel | | keyword | +| auditd.log.key_enforce | | boolean | +| auditd.log.kind | | keyword | +| auditd.log.ksize | | long | +| auditd.log.laddr | | ip | +| auditd.log.list | | keyword | +| auditd.log.lport | | long | +| auditd.log.major | | keyword | +| auditd.log.minor | | keyword | +| auditd.log.mode | | keyword | +| auditd.log.model | | keyword | +| auditd.log.name | | keyword | +| auditd.log.new-level | | keyword | +| auditd.log.new_auid | For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). | keyword | +| auditd.log.new_pe | | keyword | +| auditd.log.new_pi | | keyword | +| auditd.log.new_pp | | keyword | +| auditd.log.new_ses | For login events this is the new session ID. It can be used to tie a user to future events by session ID. | keyword | +| auditd.log.node | | keyword | +| auditd.log.obj | | keyword | +| auditd.log.objtype | | keyword | +| auditd.log.old | | keyword | +| auditd.log.old-level | | keyword | +| auditd.log.old_auid | For login events this is the old audit ID used for the user prior to this login. | keyword | +| auditd.log.old_pe | | keyword | +| auditd.log.old_pi | | keyword | +| auditd.log.old_pp | | keyword | +| auditd.log.old_ses | For login events this is the old session ID used for the user prior to this login. | keyword | +| auditd.log.op | | keyword | +| auditd.log.pfs | | keyword | +| auditd.log.proctitle | | keyword | +| auditd.log.rdev | | keyword | +| auditd.log.reason | | keyword | +| auditd.log.record_type | | keyword | +| auditd.log.reset | | keyword | +| auditd.log.root_dir | | keyword | +| auditd.log.rport | | long | +| auditd.log.saddr | | keyword | +| auditd.log.selected-context | | keyword | +| auditd.log.sequence | The audit event sequence number. | long | +| auditd.log.ses | | keyword | +| auditd.log.spid | | keyword | +| auditd.log.src_prefixlen | | long | +| auditd.log.subj | | keyword | +| auditd.log.success | | boolean | +| auditd.log.sw | | keyword | +| auditd.log.sw_type | | keyword | +| auditd.log.syscall | | keyword | +| auditd.log.table | | keyword | +| auditd.log.tty | | keyword | +| auditd.log.uid | | keyword | +| auditd.log.unit | | keyword | +| auditd.log.uuid | | keyword | +| auditd.log.ver | | keyword | +| auditd.log.virt | | keyword | +| auditd.log.vm | | keyword | +| auditd.log.vm-ctx | | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.audit.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.audit.group.name | Name of the group. | keyword | +| user.audit.id | One or multiple unique identifiers of the user. | keyword | +| user.audit.name | Short name or login of the user. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.filesystem.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.filesystem.group.name | Name of the group. | keyword | +| user.filesystem.id | One or multiple unique identifiers of the user. | keyword | +| user.filesystem.name | Short name or login of the user. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.owner.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.owner.group.name | Name of the group. | keyword | +| user.owner.id | One or multiple unique identifiers of the user. | keyword | +| user.owner.name | Short name or login of the user. | keyword | +| user.saved.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.saved.group.name | Name of the group. | keyword | +| user.saved.id | One or multiple unique identifiers of the user. | keyword | +| user.saved.name | Short name or login of the user. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.terminal | Terminal or tty device on which the user is performing the observed activity. | keyword | + diff --git a/packages/auditd/3.1.0/img/kibana-audit-auditd.png b/packages/auditd/3.1.0/img/kibana-audit-auditd.png new file mode 100755 index 0000000000..732afa18dc Binary files /dev/null and b/packages/auditd/3.1.0/img/kibana-audit-auditd.png differ diff --git a/packages/auditd/3.1.0/img/linux.svg b/packages/auditd/3.1.0/img/linux.svg new file mode 100755 index 0000000000..c0a92e0c0f --- /dev/null +++ b/packages/auditd/3.1.0/img/linux.svg @@ -0,0 +1,1532 @@ + + + + Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + Tux + 20 June 2012 + + + Garrett LeSage + + + + + + Larry Ewing, the creator of the original Tux graphic + + + + + tux + Linux + penguin + logo + + + + + Larry Ewing, Garrett LeSage + + + https://github.com/garrett/Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/auditd/3.1.0/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json b/packages/auditd/3.1.0/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json new file mode 100755 index 0000000000..0badd80a3a --- /dev/null +++ b/packages/auditd/3.1.0/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "Dashboard for the Auditd Logs integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"event.action\",\"auditd.log.sequence\",\"user.name\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"623a62b9-8745-4fec-8738-bbe6fb8c16aa\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"efef3e71-f9ce-4a8e-8c27-68ad0d047d9b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Event Address Geo Location [Logs Auditd]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"8155deb8-6760-42ad-b14a-dd20958bcb52\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Event Address Geo Location [Logs Auditd]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"09f4ba02-a62c-410f-8d43-31e9e5278826\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"09f4ba02-a62c-410f-8d43-31e9e5278826\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "[Logs Auditd] Audit Events", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "auditd-c5411910-0a87-11e7-8b04-eb22a5669f27", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27", + "name": "7:panel_7", + "type": "search" + }, + { + "id": "logs-*", + "name": "09f4ba02-a62c-410f-8d43-31e9e5278826:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json b/packages/auditd/3.1.0/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json new file mode 100755 index 0000000000..d6ef417bea --- /dev/null +++ b/packages/auditd/3.1.0/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "columns": [ + "event.action", + "auditd.log.sequence", + "user.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd.log\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Audit Events [Logs Auditd]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json b/packages/auditd/3.1.0/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json new file mode 100755 index 0000000000..533fc81bb9 --- /dev/null +++ b/packages/auditd/3.1.0/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Event Results [Logs Auditd]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"expression\":\".es(q=\\\"data_stream.dataset:auditd.log NOT event.outcome:failure\\\").label(\\\"Success\\\"), .es(q=\\\"event.outcome:failed\\\").label(\\\"Failure\\\").title(\\\"Audit Event Results\\\")\",\"interval\":\"auto\"},\"title\":\"Event Results [Logs Auditd]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json b/packages/auditd/3.1.0/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json new file mode 100755 index 0000000000..3aaa56b932 --- /dev/null +++ b/packages/auditd/3.1.0/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.action:\\\"EXECVE\\\" or event.action:\\\"execve\\\"\"}}" + }, + "title": "Top Exec Commands [Logs Auditd]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Command (arg 0)\",\"field\":\"auditd.log.a0\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Audit Top Exec Commands\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json b/packages/auditd/3.1.0/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json new file mode 100755 index 0000000000..fa18dd2400 --- /dev/null +++ b/packages/auditd/3.1.0/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Event types breakdown [Logs Auditd]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Audit Event Types\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json b/packages/auditd/3.1.0/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json new file mode 100755 index 0000000000..9cd954ab52 --- /dev/null +++ b/packages/auditd/3.1.0/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Event Account Tag Cloud [Logs Auditd]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":42,\"minFontSize\":15,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Audit Event Account Tag Cloud\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-c5411910-0a87-11e7-8b04-eb22a5669f27", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/kibana/visualization/auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27.json b/packages/auditd/3.1.0/kibana/visualization/auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27.json new file mode 100755 index 0000000000..71876608a7 --- /dev/null +++ b/packages/auditd/3.1.0/kibana/visualization/auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Event Address Geo Location [Logs Auditd]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Audit Event Address Geo Location\",\"type\":\"tile_map\"}" + }, + "id": "auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.1.0/manifest.yml b/packages/auditd/3.1.0/manifest.yml new file mode 100755 index 0000000000..d097886544 --- /dev/null +++ b/packages/auditd/3.1.0/manifest.yml @@ -0,0 +1,32 @@ +name: auditd +title: Auditd Logs +version: 3.1.0 +release: ga +description: Collect logs from Linux audit daemon with Elastic Agent. +type: integration +icons: + - src: /img/linux.svg + title: linux + size: 299x354 + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: + - os_system +conditions: + kibana.version: ^8.0.0 +screenshots: + - src: /img/kibana-audit-auditd.png + title: Auditd Kibana Dashboard + size: 1230x997 + type: image/png +policy_templates: + - name: auditd + title: Auditd logs + description: Collect logs from Auditd instances + inputs: + - type: logfile + title: "Collect Auditd application logs (input: logfile)" + description: "Collecting application logs from Auditd instances (input: logfile)" +owner: + github: elastic/security-external-integrations diff --git a/packages/auditd_manager/1.0.0/changelog.yml b/packages/auditd_manager/1.0.0/changelog.yml new file mode 100755 index 0000000000..5b21722f73 --- /dev/null +++ b/packages/auditd_manager/1.0.0/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "1.0.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/2763 diff --git a/packages/auditd_manager/1.0.0/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/1.0.0/data_stream/auditd/agent/stream/auditd.yml.hbs new file mode 100755 index 0000000000..626b5973ec --- /dev/null +++ b/packages/auditd_manager/1.0.0/data_stream/auditd/agent/stream/auditd.yml.hbs @@ -0,0 +1,34 @@ +# EQL expression evaluated by Elastic Agent to limit input to Linux. +condition: ${host.platform} == 'linux' + +type: audit/auditd +include_raw_message: true +{{#if multicast}} +socket_type: multicast +{{else}} +socket_type: unicast +{{/if}} +resolve_ids: {{resolve_ids}} +failure_mode: {{failure_mode}} +audit_rules: | +{{#each audit_rules as |rule i|}} + {{rule}} +{{/each}} +backlog_limit: {{backlog_limit}} +rate_limit: {{rate_limit}} +include_warnings: {{include_warnings}} +backpressure_strategy: {{backpressure_strategy}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml b/packages/auditd_manager/1.0.0/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..1235e982bf --- /dev/null +++ b/packages/auditd_manager/1.0.0/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,242 @@ +--- +description: Pipeline for parsing Linux auditd logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: event.original + target_field: auditd.messages + ignore_missing: true + - join: + field: auditd.messages + separator: "\n" + target_field: event.original + if: ctx?.auditd?.messages != null && ctx.auditd.messages instanceof List + - rename: + field: error.message + target_field: auditd.warnings + ignore_missing: true + - join: + field: auditd.warnings + separator: "\n" + target_field: error.message + if: | + ctx?.auditd?.warnings != null && + ctx.auditd.warnings instanceof List && + ctx.auditd.warnings.size() > 0 + - script: + lang: painless + description: Standardize all field names. + source: | + void handleMap(Map map) { + for (def k : map.keySet().toArray(new def[map.size()])) { + if (map[k] instanceof Map) { + handleMap(map[k]); + } + + if (k.contains("-")) { + map[k.replace("-", "_")] = map[k]; + map.remove(k); + } + } + } + handleMap(ctx); + - rename: + field: source.path + target_field: source.address + ignore_missing: true + ignore_failure: true + - rename: + field: destination.path + target_field: destination.address + ignore_missing: true + ignore_failure: true + - rename: + field: user.audit + target_field: auditd.user.audit + ignore_missing: true + ignore_failure: true + - rename: + field: user.new_auid + target_field: auditd.user.new_auid + ignore_missing: true + ignore_failure: true + - rename: + field: user.old_auid + target_field: auditd.user.old_auid + ignore_missing: true + ignore_failure: true + - rename: + field: file.selinux + target_field: auditd.file.selinux + ignore_missing: true + ignore_failure: true + - rename: + field: user.selinux + target_field: auditd.user.selinux + ignore_missing: true + ignore_failure: true + - rename: + field: user.saved + target_field: auditd.user.saved + ignore_missing: true + ignore_failure: true + - rename: + field: user.filesystem + target_field: auditd.user.filesystem + ignore_missing: true + ignore_failure: true + - set: + field: event.outcome + value: failure + if: ctx?.event?.outcome == "fail" + - rename: + field: auditd.sequence + target_field: event.sequence + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.id + target_field: event.id + ignore_missing: true + ignore_failure: true + - convert: + field: auditd.data.removed + type: long + ignore_missing: true + - convert: + field: auditd.data.items + type: long + ignore_missing: true + - convert: + field: auditd.data.lport + type: long + ignore_missing: true + - convert: + field: auditd.data.rport + type: long + ignore_missing: true + - convert: + field: auditd.data.sport + type: long + ignore_missing: true + - convert: + field: auditd.data.dport + type: long + ignore_missing: true + - convert: + field: auditd.data.entries + type: long + ignore_missing: true + - convert: + field: auditd.data.argc + type: long + ignore_missing: true + - convert: + field: auditd.data.seqno + type: long + ignore_missing: true + - convert: + field: auditd.data.nargs + type: long + ignore_missing: true + - convert: + field: auditd.data.socket.port + type: long + ignore_missing: true + - convert: + field: auditd.data.old_vcpu + type: long + ignore_missing: true + - convert: + field: auditd.data.new_vcpu + type: long + ignore_missing: true + - convert: + field: auditd.data.changed + type: long + ignore_missing: true + - convert: + field: auditd.data.added + type: long + ignore_missing: true + - convert: + field: destination.port + type: long + ignore_missing: true + - convert: + field: source.port + type: long + ignore_missing: true + - convert: + field: auditd.data.spid + type: long + ignore_missing: true + - convert: + field: auditd.data.opid + type: long + ignore_missing: true + - convert: + field: auditd.data.nlnk_pid + type: long + ignore_missing: true + - convert: + field: auditd.data.vm_pid + type: long + ignore_missing: true + - convert: + field: auditd.data.audit_pid + type: long + ignore_missing: true + - convert: + field: auditd.data.exit + type: long + ignore_missing: true + - convert: + field: process.pid + type: long + ignore_missing: true + - convert: + field: process.exit_code + type: long + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: auditd.messages + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/auditd_manager/1.0.0/data_stream/auditd/fields/base-fields.yml b/packages/auditd_manager/1.0.0/data_stream/auditd/fields/base-fields.yml new file mode 100755 index 0000000000..4983274a50 --- /dev/null +++ b/packages/auditd_manager/1.0.0/data_stream/auditd/fields/base-fields.yml @@ -0,0 +1,27 @@ +- description: Data stream type. + name: data_stream.type + type: constant_keyword +- description: Data stream dataset. + name: data_stream.dataset + type: constant_keyword +- description: Data stream namespace. + name: data_stream.namespace + type: constant_keyword +- description: Event module + name: event.module + type: constant_keyword + value: auditd +- description: Event dataset + name: event.dataset + type: constant_keyword + value: auditd_manager.auditd +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/auditd_manager/1.0.0/data_stream/auditd/fields/ecs.yml b/packages/auditd_manager/1.0.0/data_stream/auditd/fields/ecs.yml new file mode 100755 index 0000000000..dba229ec47 --- /dev/null +++ b/packages/auditd_manager/1.0.0/data_stream/auditd/fields/ecs.yml @@ -0,0 +1,185 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: Device that is the source of the file. + name: file.device + type: keyword +- description: Primary group ID (GID) of the file. + name: file.gid + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: Mode of the file in octal representation. + name: file.mode + type: keyword +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: The user ID (UID) or security identifier (SID) of the file owner. + name: file.uid + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Port of the source. + name: source.port + type: long +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Name of the group. + name: user.group.name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.effective.group.id + type: keyword +- description: Name of the group. + name: user.effective.group.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword diff --git a/packages/auditd_manager/1.0.0/data_stream/auditd/fields/fields.yml b/packages/auditd_manager/1.0.0/data_stream/auditd/fields/fields.yml new file mode 100755 index 0000000000..5a81d93041 --- /dev/null +++ b/packages/auditd_manager/1.0.0/data_stream/auditd/fields/fields.yml @@ -0,0 +1,742 @@ +- name: auditd.user.audit.id + type: keyword +- name: auditd.user.audit.name + type: keyword +- name: auditd.user.new_auid.id + type: keyword +- name: auditd.user.new_auid.name + type: keyword +- name: auditd.user.old_auid.id + type: keyword +- name: auditd.user.old_auid.name + type: keyword +- name: auditd.user.filesystem.id + type: keyword +- name: auditd.user.filesystem.name + type: keyword +- name: auditd.user.filesystem.group.id + type: keyword +- name: auditd.user.filesystem.group.name + type: keyword +- name: auditd.user.saved.id + type: keyword +- name: auditd.user.saved.name + type: keyword +- name: auditd.user.saved.group.id + type: keyword +- name: auditd.user.saved.group.name + type: keyword +- name: auditd.user.selinux.user + description: Account submitted for authentication + type: keyword +- name: auditd.user.selinux.role + description: User's SELinux role + type: keyword +- name: auditd.user.selinux.domain + description: The actor's SELinux domain or type. + type: keyword +- name: auditd.user.selinux.level + description: The actor's SELinux level. + type: keyword +- name: auditd.user.selinux.category + description: The actor's SELinux category or compartments. + type: keyword +- name: auditd.file.selinux.user + description: Account submitted for authentication + type: keyword +- name: auditd.file.selinux.role + description: User's SELinux role + type: keyword +- name: auditd.file.selinux.domain + description: The actor's SELinux domain or type. + type: keyword +- name: auditd.file.selinux.level + description: The actor's SELinux level. + type: keyword +- name: auditd.paths + type: flattened +- name: auditd.result + description: The result of the audited operation (success/fail). + type: keyword +- name: auditd.data.reset + type: keyword +- name: auditd.message_type + description: The audit message type (e.g. syscall or apparmor_denied). + type: keyword +- name: auditd.session + description: The session ID assigned to a login. All events related to a login session will have the same value. + type: keyword +- name: auditd.messages + description: An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config. + type: keyword +- name: auditd.warnings + description: The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. + type: keyword +- name: auditd.summary.actor.primary + description: The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. + type: keyword +- name: auditd.summary.actor.secondary + description: The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su. + type: keyword +- name: auditd.summary.object.type + description: A description of the what the "thing" is (e.g. file, socket, user-session). + type: keyword +- name: auditd.summary.object.primary + type: keyword +- name: auditd.summary.object.secondary + type: keyword +- name: auditd.summary.how + description: This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. + type: keyword +- name: auditd.paths.inode + description: inode number + type: keyword +- name: auditd.paths.dev + description: Device name as found in /dev + type: keyword +- name: auditd.paths.obj_user + type: keyword +- name: auditd.paths.obj_role + type: keyword +- name: auditd.paths.obj_domain + type: keyword +- name: auditd.paths.obj_level + type: keyword +- name: auditd.paths.obj_type + type: keyword +- name: auditd.paths.ouid + description: File owner user ID + type: keyword +- name: auditd.paths.rdev + description: The device identifier (special files only) + type: keyword +- name: auditd.paths.nametype + description: Kind of file operation being referenced + type: keyword +- name: auditd.paths.ogid + description: File owner group ID + type: keyword +- name: auditd.paths.item + description: Which item is being recorded + type: keyword +- name: auditd.paths.mode + description: Mode flags on a file + type: keyword +- name: auditd.paths.name + desription: File name in avcs + type: keyword +- name: auditd.data.action + description: netfilter packet disposition + type: keyword +- name: auditd.data.minor + description: device minor number + type: keyword +- name: auditd.data.acct + description: a user's account name + type: keyword +- name: auditd.data.addr + description: the remote address that the user is connecting from + type: keyword +- name: auditd.data.cipher + description: name of crypto cipher selected + type: keyword +- name: auditd.data.id + description: during account changes + type: keyword +- name: auditd.data.entries + description: number of entries in the netfilter table + type: long +- name: auditd.data.kind + description: server or client in crypto operation + type: keyword +- name: auditd.data.ksize + description: key size for crypto operation + type: keyword +- name: auditd.data.spid + description: sent process ID + type: long +- name: auditd.data.arch + description: the elf architecture flags + type: keyword +- name: auditd.data.argc + description: the number of arguments to an execve syscall + type: long +- name: auditd.data.major + description: device major number + type: keyword +- name: auditd.data.unit + description: systemd unit + type: keyword +- name: auditd.data.table + description: netfilter table name + type: keyword +- name: auditd.data.terminal + description: terminal name the user is running programs on + type: keyword +- name: auditd.data.grantors + description: pam modules approving the action + type: keyword +- name: auditd.data.direction + description: direction of crypto operation + type: keyword +- name: auditd.data.op + description: the operation being performed that is audited + type: keyword +- name: auditd.data.tty + description: tty udevice the user is running programs on + type: keyword +- name: auditd.data.syscall + description: syscall number in effect when the event occurred + type: keyword +- name: auditd.data.data + description: TTY text + type: keyword +- name: auditd.data.family + description: netfilter protocol + type: keyword +- name: auditd.data.mac + description: crypto MAC algorithm selected + type: keyword +- name: auditd.data.pfs + description: perfect forward secrecy method + type: keyword +- name: auditd.data.items + description: the number of path records in the event + type: long +- name: auditd.data.hostname + description: the hostname that the user is connecting from + type: keyword +- name: auditd.data.lport + description: local network port + type: long +- name: auditd.data.rport + description: remote port number + type: long +- name: auditd.data.exit + description: syscall exit code + type: long +- name: auditd.data.fp + description: crypto key finger print + type: keyword +- name: auditd.data.laddr + description: local network address + type: keyword +- name: auditd.data.sport + description: local port number + type: long +- name: auditd.data.capability + description: posix capabilities + type: keyword +- name: auditd.data.nargs + description: the number of arguments to a socket call + type: long +- name: auditd.data.new_enabled + description: new TTY audit enabled setting + type: keyword +- name: auditd.data.audit_backlog_limit + description: audit system's backlog queue size + type: keyword +- name: auditd.data.dir + description: directory name + type: keyword +- name: auditd.data.cap_pe + description: process effective capability map + type: keyword +- name: auditd.data.model + description: security model being used for virt + type: keyword +- name: auditd.data.new_pp + description: new process permitted capability map + type: keyword +- name: auditd.data.old_enabled + description: present TTY audit enabled setting + type: keyword +- name: auditd.data.oauid + description: object's login user ID + type: keyword +- name: auditd.data.old + description: old value + type: keyword +- name: auditd.data.banners + description: banners used on printed page + type: keyword +- name: auditd.data.feature + description: kernel feature being changed + type: keyword +- name: auditd.data.vm_ctx + description: the vm's context string + type: keyword +- name: auditd.data.opid + description: object's process ID + type: long +- name: auditd.data.seperms + description: SELinux permissions being used + type: keyword +- name: auditd.data.seresult + description: SELinux AVC decision granted/denied + type: keyword +- name: auditd.data.new_rng + description: device name of rng being added from a vm + type: keyword +- name: auditd.data.old_net + description: present MAC address assigned to vm + type: keyword +- name: auditd.data.sigev_signo + description: signal number + type: keyword +- name: auditd.data.ino + description: inode number + type: keyword +- name: auditd.data.old_enforcing + description: old MAC enforcement status + type: keyword +- name: auditd.data.old_vcpu + description: present number of CPU cores + type: long +- name: auditd.data.range + description: user's SE Linux range + type: keyword +- name: auditd.data.res + description: result of the audited operation(success/fail) + type: keyword +- name: auditd.data.added + description: number of new files detected + type: long +- name: auditd.data.fam + description: socket address family + type: keyword +- name: auditd.data.nlnk_pid + description: pid of netlink packet sender + type: long +- name: auditd.data.subj + description: lspp subject's context string + type: keyword +- name: auditd.data.cgroup + description: path to cgroup in sysfs + type: keyword +- name: auditd.data.kernel + description: kernel's version number + type: keyword +- name: auditd.data.ocomm + description: object's command line name + type: keyword +- name: auditd.data.new_net + description: MAC address being assigned to vm + type: keyword +- name: auditd.data.permissive + description: SELinux is in permissive mode + type: keyword +- name: auditd.data.class + description: resource class assigned to vm + type: keyword +- name: auditd.data.compat + description: is_compat_task result + type: keyword +- name: auditd.data.fi + description: file assigned inherited capability map + type: keyword +- name: auditd.data.changed + description: number of changed files + type: long +- name: auditd.data.msg + description: the payload of the audit record + type: keyword +- name: auditd.data.dport + description: remote port number + type: long +- name: auditd.data.new_seuser + description: new SELinux user + type: keyword +- name: auditd.data.invalid_context + description: SELinux context + type: keyword +- name: auditd.data.dmac + description: remote MAC address + type: keyword +- name: auditd.data.ipx_net + description: IPX network number + type: keyword +- name: auditd.data.iuid + description: ipc object's user ID + type: keyword +- name: auditd.data.macproto + description: ethernet packet type ID field + type: keyword +- name: auditd.data.obj + description: lspp object context string + type: keyword +- name: auditd.data.ipid + description: IP datagram fragment identifier + type: keyword +- name: auditd.data.new_fs + description: file system being added to vm + type: keyword +- name: auditd.data.vm_pid + description: vm's process ID + type: long +- name: auditd.data.cap_pi + description: process inherited capability map + type: keyword +- name: auditd.data.old_auid + description: previous auid value + type: keyword +- name: auditd.data.oses + description: object's session ID + type: keyword +- name: auditd.data.fd + description: file descriptor number + type: keyword +- name: auditd.data.igid + description: ipc object's group ID + type: keyword +- name: auditd.data.new_disk + description: disk being added to vm + type: keyword +- name: auditd.data.parent + description: the inode number of the parent file + type: keyword +- name: auditd.data.len + description: length + type: keyword +- name: auditd.data.oflag + description: open syscall flags + type: keyword +- name: auditd.data.uuid + description: a UUID + type: keyword +- name: auditd.data.code + description: seccomp action code + type: keyword +- name: auditd.data.nlnk_grp + description: netlink group number + type: keyword +- name: auditd.data.cap_fp + description: file permitted capability map + type: keyword +- name: auditd.data.new_mem + description: new amount of memory in KB + type: keyword +- name: auditd.data.seperm + description: SELinux permission being decided on + type: keyword +- name: auditd.data.enforcing + description: new MAC enforcement status + type: keyword +- name: auditd.data.new_chardev + description: new character device being assigned to vm + type: keyword +- name: auditd.data.old_rng + description: device name of rng being removed from a vm + type: keyword +- name: auditd.data.outif + description: out interface number + type: keyword +- name: auditd.data.cmd + description: command being executed + type: keyword +- name: auditd.data.hook + description: netfilter hook that packet came from + type: keyword +- name: auditd.data.new_level + description: new run level + type: keyword +- name: auditd.data.sauid + description: sent login user ID + type: keyword +- name: auditd.data.sig + description: signal number + type: keyword +- name: auditd.data.audit_backlog_wait_time + description: audit system's backlog wait time + type: keyword +- name: auditd.data.printer + description: printer name + type: keyword +- name: auditd.data.old_mem + description: present amount of memory in KB + type: keyword +- name: auditd.data.perm + description: the file permission being used + type: keyword +- name: auditd.data.old_pi + description: old process inherited capability map + type: keyword +- name: auditd.data.state + description: audit daemon configuration resulting state + type: keyword +- name: auditd.data.format + description: audit log's format + type: keyword +- name: auditd.data.new_gid + description: new group ID being assigned + type: keyword +- name: auditd.data.tcontext + description: the target's or object's context string + type: keyword +- name: auditd.data.maj + description: device major number + type: keyword +- name: auditd.data.watch + description: file name in a watch record + type: keyword +- name: auditd.data.device + description: device name + type: keyword +- name: auditd.data.grp + description: group name + type: keyword +- name: auditd.data.bool + description: name of SELinux boolean + type: keyword +- name: auditd.data.icmp_type + description: type of icmp message + type: keyword +- name: auditd.data.new_lock + description: new value of feature lock + type: keyword +- name: auditd.data.old_prom + description: network promiscuity flag + type: keyword +- name: auditd.data.acl + description: access mode of resource assigned to vm + type: keyword +- name: auditd.data.ip + description: network address of a printer + type: ip +- name: auditd.data.new_pi + description: new process inherited capability map + type: keyword +- name: auditd.data.default_context + description: default MAC context + type: keyword +- name: auditd.data.inode_gid + description: group ID of the inode's owner + type: keyword +- name: auditd.data.new_log_passwd + description: new value for TTY password logging + type: keyword +- name: auditd.data.new_pe + description: new process effective capability map + type: keyword +- name: auditd.data.selected_context + description: new MAC context assigned to session + type: keyword +- name: auditd.data.cap_fver + description: file system capabilities version number + type: keyword +- name: auditd.data.file + description: file name + type: keyword +- name: auditd.data.net + description: network MAC address + type: keyword +- name: auditd.data.virt + description: kind of virtualization being referenced + type: keyword +- name: auditd.data.cap_pp + description: process permitted capability map + type: keyword +- name: auditd.data.old_range + description: present SELinux range + type: keyword +- name: auditd.data.resrc + description: resource being assigned + type: keyword +- name: auditd.data.new_range + description: new SELinux range + type: keyword +- name: auditd.data.obj_gid + description: group ID of object + type: keyword +- name: auditd.data.proto + description: network protocol + type: keyword +- name: auditd.data.old_disk + description: disk being removed from vm + type: keyword +- name: auditd.data.audit_failure + description: audit system's failure mode + type: keyword +- name: auditd.data.inif + description: in interface number + type: keyword +- name: auditd.data.vm + description: virtual machine name + type: keyword +- name: auditd.data.flags + description: mmap syscall flags + type: keyword +- name: auditd.data.nlnk_fam + description: netlink protocol number + type: keyword +- name: auditd.data.old_fs + description: file system being removed from vm + type: keyword +- name: auditd.data.old_ses + description: previous ses value + type: keyword +- name: auditd.data.new_ses + description: ses value + type: keyword +- name: auditd.data.seqno + description: sequence number + type: long +- name: auditd.data.fver + description: file system capabilities version number + type: keyword +- name: auditd.data.qbytes + description: ipc objects quantity of bytes + type: keyword +- name: auditd.data.seuser + description: user's SE Linux user acct + type: keyword +- name: auditd.data.cap_fe + description: file assigned effective capability map + type: keyword +- name: auditd.data.new_vcpu + description: new number of CPU cores + type: long +- name: auditd.data.old_level + description: old run level + type: keyword +- name: auditd.data.old_pp + description: old process permitted capability map + type: keyword +- name: auditd.data.daddr + description: remote IP address + type: ip +- name: auditd.data.old_role + description: present SELinux role + type: keyword +- name: auditd.data.ioctlcmd + description: The request argument to the ioctl syscall + type: keyword +- name: auditd.data.smac + description: local MAC address + type: keyword +- name: auditd.data.apparmor + description: apparmor event information + type: keyword +- name: auditd.data.fe + description: file assigned effective capability map + type: keyword +- name: auditd.data.perm_mask + description: file permission mask that triggered a watch event + type: keyword +- name: auditd.data.a0-N + description: the arguments to a syscall + type: keyword +- name: auditd.data.ses + description: login session ID + type: keyword +- name: auditd.data.cap_fi + description: file inherited capability map + type: keyword +- name: auditd.data.obj_uid + description: user ID of object + type: keyword +- name: auditd.data.reason + description: text string denoting a reason for the action + type: keyword +- name: auditd.data.list + description: the audit system's filter list number + type: keyword +- name: auditd.data.old_lock + description: present value of feature lock + type: keyword +- name: auditd.data.bus + description: name of subsystem bus a vm resource belongs to + type: keyword +- name: auditd.data.old_pe + description: old process effective capability map + type: keyword +- name: auditd.data.new_role + description: new SELinux role + type: keyword +- name: auditd.data.prom + description: network promiscuity flag + type: keyword +- name: auditd.data.uri + description: URI pointing to a printer + type: keyword +- name: auditd.data.audit_enabled + description: audit systems's enable/disable status + type: keyword +- name: auditd.data.old_log_passwd + description: present value for TTY password logging + type: keyword +- name: auditd.data.old_seuser + description: present SELinux user + type: keyword +- name: auditd.data.per + description: linux personality + type: keyword +- name: auditd.data.scontext + description: the subject's context string + type: keyword +- name: auditd.data.tclass + description: target's object classification + type: keyword +- name: auditd.data.ver + description: audit daemon's version number + type: keyword +- name: auditd.data.new + description: value being set in feature + type: keyword +- name: auditd.data.val + description: generic value associated with the operation + type: keyword +- name: auditd.data.img_ctx + description: the vm's disk image context string + type: keyword +- name: auditd.data.old_chardev + description: present character device assigned to vm + type: keyword +- name: auditd.data.old_val + description: current value of SELinux boolean + type: keyword +- name: auditd.data.success + description: whether the syscall was successful or not + type: keyword +- name: auditd.data.inode_uid + description: user ID of the inode's owner + type: keyword +- name: auditd.data.removed + description: number of deleted files + type: long +- name: auditd.data.socket.port + description: The port number. + type: long +- name: auditd.data.socket.saddr + description: The raw socket address structure. + type: keyword +- name: auditd.data.socket.addr + description: The remote address. + type: keyword +- name: auditd.data.socket.family + description: The socket family (unix, ipv4, ipv6, netlink). + type: keyword +- name: auditd.data.socket.path + description: This is the path associated with a unix socket. + type: keyword +- name: auditd.data.audit_pid + type: long +- name: auditd.data.auid + type: keyword +- name: auditd.data.frootid + type: keyword +- name: auditd.data.old_pa + type: keyword +- name: auditd.data.pa + type: keyword +- name: auditd.data.pe + type: keyword +- name: auditd.data.pi + type: keyword +- name: auditd.data.pp + type: keyword +- name: auditd.data.result + type: keyword +- name: auditd.data + description: Auditd related data + type: flattened diff --git a/packages/auditd_manager/1.0.0/data_stream/auditd/manifest.yml b/packages/auditd_manager/1.0.0/data_stream/auditd/manifest.yml new file mode 100755 index 0000000000..1fea712b20 --- /dev/null +++ b/packages/auditd_manager/1.0.0/data_stream/auditd/manifest.yml @@ -0,0 +1,149 @@ +title: "Auditd Manager" +type: logs +streams: + - input: audit/auditd + title: Auditd events + template_path: auditd.yml.hbs + description: Collect auditd events + vars: + - name: multicast + type: bool + title: Multicast socket type + show_user: true + multi: false + default: false + description: | + This setting controls if the socket type used to receive events is multicast. + This setting should be disabled when `elastic-agent` is the primary userspace + daemon for receiving audit events and managing the rules. Only a single process + can receive audit events if this is disabled, so any other daemons should be + stopped (e.g. stop `auditd`). + + This setting can be enabled with kernel versions 3.16 and newer. By setting it + `elastic-agent` will receive an audit event broadcast that is not exclusive + to a single process. This is ideal for situations where `auditd` is running and + managing the rules. + + If it is set to `true`, but the kernel version is less than 3.16 it will be + automatically disabled. + - name: resolve_ids + type: bool + title: Resolve IDs + show_user: true + multi: false + default: true + description: Enables the resolution of UIDs and GIDs to their associated names. + - name: failure_mode + type: text + title: Failure mode + required: true + multi: false + show_user: false + default: silent + description: | + This determines the kernel's behavior on critical + failures such as errors sending events to `elastic-agent`, the backlog limit was + exceeded, the kernel ran out of memory, or the rate limit was exceeded. The + options are `silent`, `log`, or `panic`. `silent` makes the kernel + ignore the errors, `log` makes the kernel write the audit messages using + `printk` so they show up in system's syslog, and `panic` causes the kernel to + panic to prevent use of the machine. + - name: audit_rules + type: text + title: Audit rules + required: true + multi: true + show_user: true + description: | + List of the audit rules that should be + installed to the kernel. There should be one rule per line. Comments can be + embedded in the string using `#` as a prefix. The format for rules is the same + used by the Linux `auditctl` utility. `elastic-agent` supports adding file watches + (`-w`) and syscall rules (`-a` or `-A`). For more information, + see the integration detail page. + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + default: false + multi: false + - name: backlog_limit + type: text + title: Backlog limit + required: true + show_user: false + default: 8192 + description: This controls the maximum number of audit messages that will be buffered by the kernel. + multi: false + - name: rate_limit + type: text + title: Rate limit + required: true + show_user: false + default: 0 + multi: false + description: | + This sets a rate limit on the number of messages/sec + delivered by the kernel. The default is `0`, which disables rate limiting. + Changing this value to anything other than zero can cause messages to be lost. + The preferred approach to reduce the messaging rate is be more selective in the + audit ruleset. + - name: include_warnings + required: true + show_user: false + multi: false + title: Include warnings + description: | + Causes to include as warnings any issues that were encountered while parsing the raw + messages. The messages are written to the `error.message` field. + When this setting is enabled the raw messages will be included + in the event regardless of the `Preserve original event` config setting. This + setting is primarily used for debugging purposes. + type: bool + default: false + - name: backpressure_strategy + type: text + title: Backpressure strategy + required: true + show_user: false + multi: false + default: auto + description: | + Specifies the strategy that used to + prevent backpressure from propagating to the kernel and impacting audited + processes. + + The possible values are: + + * `auto`: uses the `kernel` strategy, if supported, or + falls back to the `userspace` strategy. + * `kernel`: sets the `backlog_wait_time` in the kernel's + audit framework to 0. This causes events to be discarded in the kernel if + the audit backlog queue fills to capacity. Requires a 3.14 kernel or + newer. + * `userspace`: drops events when there is backpressure + from the publishing pipeline. If no `Rate limit` is set, sets a rate + limit of `5000`. Users should test their setup and adjust the `Rate limit` + option accordingly. + * `both`: uses the `kernel` and `userspace` strategies at the same + time. + * `none`: No backpressure mitigation measures are enabled. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - auditd_manager-auditd + - name: processors + type: yaml + title: Processors + required: false + show_user: false + multi: false + description: | + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/auditd_manager/1.0.0/data_stream/auditd/sample_event.json b/packages/auditd_manager/1.0.0/data_stream/auditd/sample_event.json new file mode 100755 index 0000000000..e999a53bf9 --- /dev/null +++ b/packages/auditd_manager/1.0.0/data_stream/auditd/sample_event.json @@ -0,0 +1,133 @@ +{ + "@timestamp": "2022-05-12T13:10:13.230Z", + "agent": { + "ephemeral_id": "cfe4170e-f9b4-435f-b19c-a0e75b573b3a", + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "name": "custom-agent", + "type": "auditbeat", + "version": "8.2.0" + }, + "auditd": { + "data": { + "a0": "a", + "a1": "c00024e8c0", + "a2": "38", + "a3": "0", + "arch": "x86_64", + "audit_pid": "22501", + "auid": "unset", + "exit": "56", + "old": "0", + "op": "set", + "result": "success", + "ses": "unset", + "socket": { + "family": "netlink", + "saddr": "100000000000000000000000" + }, + "syscall": "sendto", + "tty": "(none)" + }, + "message_type": "config_change", + "messages": [ + "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1", + "type=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)", + "type=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000", + "type=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C" + ], + "result": "success", + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "how": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "object": { + "primary": "set", + "type": "audit-config" + } + }, + "user": { + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } + } + }, + "data_stream": { + "dataset": "auditd_manager.auditd", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "changed-audit-configuration", + "agent_id_status": "verified", + "category": [ + "process", + "configuration", + "network" + ], + "dataset": "auditd_manager.auditd", + "ingested": "2022-05-12T13:10:16Z", + "kind": "event", + "module": "auditd", + "original": "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1\ntype=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)\ntype=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C", + "outcome": "success", + "sequence": 94471, + "type": [ + "change", + "connection", + "info" + ] + }, + "host": { + "name": "custom-agent" + }, + "network": { + "direction": "egress" + }, + "process": { + "executable": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "name": "auditbeat", + "parent": { + "pid": 9509 + }, + "pid": 22501, + "title": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat -c auditbeat.elastic-agent.yml" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event", + "auditd_manager-auditd" + ], + "user": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/docs/README.md b/packages/auditd_manager/1.0.0/docs/README.md new file mode 100755 index 0000000000..918d3f96a2 --- /dev/null +++ b/packages/auditd_manager/1.0.0/docs/README.md @@ -0,0 +1,567 @@ +# Auditd Manager Integration + +The Auditd Manager Integration receives audit events from the Linux Audit Framework that +is a part of the Linux kernel. + +This integration is available only for Linux. + +## How it works + +This integration establishes a subscription to the kernel to receive the events +as they occur. + +The Linux Audit Framework can send multiple messages for a single auditable +event. For example, a `rename` syscall causes the kernel to send eight separate +messages. Each message describes a different aspect of the activity that is +occurring (the syscall itself, file paths, current working directory, process +title). This integration will combine all of the data from each of the messages +into a single event. + +Messages for one event can be interleaved with messages from another event. This +module will buffer the messages in order to combine related messages into a +single event even if they arrive interleaved or out of order. + +## Useful commands + +When running this integration, you might find that other monitoring tools interfere with it. + +For example, you might encounter errors if another process, such as `auditd`, is +registered to receive data from the Linux Audit Framework. You can use these +commands to see if the `auditd` service is running and stop it: + +* See if `auditd` is running: + +```shell +service auditd status +``` + +* Stop the `auditd` service: + +```shell +service auditd stop +``` + +* Disable `auditd` from starting on boot: + +```shell +chkconfig auditd off +``` + +To save CPU usage and disk space, you can use this command to stop `journald` +from listening to audit messages: + +```shell +systemctl mask systemd-journald-audit.socket +``` + +## Audit rules + +The audit rules are where you configure the activities that are audited. These +rules are configured as either syscalls or files that should be monitored. For +example you can track all `connect` syscalls or file system writes to +`/etc/passwd`. + +Auditing a large number of syscalls can place a heavy load on the system so +consider carefully the rules you define and try to apply filters in the rules +themselves to be as selective as possible. + +The kernel evaluates the rules in the order in which they were defined so place +the most active rules first in order to speed up evaluation. + +You can assign keys to each rule for better identification of the rule that +triggered an event and easier filtering later in Elasticsearch. + +Defining any audit rules in the config causes `elastic-agent` to purge all +existing audit rules prior to adding the rules specified in the config. +Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule. + +Examples: + +```sh +## If you are on a 64 bit platform, everything should be running +## in 64 bit mode. This rule will detect any use of the 32 bit syscalls +## because this might be a sign of someone exploiting a hole in the 32 +## bit API. +-a always,exit -F arch=b32 -S all -F key=32bit-abi + +## Executions. +-a always,exit -F arch=b64 -S execve,execveat -k exec + +## External access (warning: these can be expensive to audit). +-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access + +## Unauthorized access attempts. +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access + +# Things that affect identity. +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity + +# Unauthorized access attempts to files (unsuccessful). +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access +``` + +An example event for `auditd` looks as following: + +```json +{ + "@timestamp": "2022-05-12T13:10:13.230Z", + "agent": { + "ephemeral_id": "cfe4170e-f9b4-435f-b19c-a0e75b573b3a", + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "name": "custom-agent", + "type": "auditbeat", + "version": "8.2.0" + }, + "auditd": { + "data": { + "a0": "a", + "a1": "c00024e8c0", + "a2": "38", + "a3": "0", + "arch": "x86_64", + "audit_pid": "22501", + "auid": "unset", + "exit": "56", + "old": "0", + "op": "set", + "result": "success", + "ses": "unset", + "socket": { + "family": "netlink", + "saddr": "100000000000000000000000" + }, + "syscall": "sendto", + "tty": "(none)" + }, + "message_type": "config_change", + "messages": [ + "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1", + "type=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)", + "type=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000", + "type=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C" + ], + "result": "success", + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "how": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "object": { + "primary": "set", + "type": "audit-config" + } + }, + "user": { + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } + } + }, + "data_stream": { + "dataset": "auditd_manager.auditd", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "changed-audit-configuration", + "agent_id_status": "verified", + "category": [ + "process", + "configuration", + "network" + ], + "dataset": "auditd_manager.auditd", + "ingested": "2022-05-12T13:10:16Z", + "kind": "event", + "module": "auditd", + "original": "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1\ntype=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)\ntype=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C", + "outcome": "success", + "sequence": 94471, + "type": [ + "change", + "connection", + "info" + ] + }, + "host": { + "name": "custom-agent" + }, + "network": { + "direction": "egress" + }, + "process": { + "executable": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "name": "auditbeat", + "parent": { + "pid": 9509 + }, + "pid": 22501, + "title": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat -c auditbeat.elastic-agent.yml" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event", + "auditd_manager-auditd" + ], + "user": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| auditd.data | Auditd related data | flattened | +| auditd.data.a0-N | the arguments to a syscall | keyword | +| auditd.data.acct | a user's account name | keyword | +| auditd.data.acl | access mode of resource assigned to vm | keyword | +| auditd.data.action | netfilter packet disposition | keyword | +| auditd.data.added | number of new files detected | long | +| auditd.data.addr | the remote address that the user is connecting from | keyword | +| auditd.data.apparmor | apparmor event information | keyword | +| auditd.data.arch | the elf architecture flags | keyword | +| auditd.data.argc | the number of arguments to an execve syscall | long | +| auditd.data.audit_backlog_limit | audit system's backlog queue size | keyword | +| auditd.data.audit_backlog_wait_time | audit system's backlog wait time | keyword | +| auditd.data.audit_enabled | audit systems's enable/disable status | keyword | +| auditd.data.audit_failure | audit system's failure mode | keyword | +| auditd.data.audit_pid | | long | +| auditd.data.auid | | keyword | +| auditd.data.banners | banners used on printed page | keyword | +| auditd.data.bool | name of SELinux boolean | keyword | +| auditd.data.bus | name of subsystem bus a vm resource belongs to | keyword | +| auditd.data.cap_fe | file assigned effective capability map | keyword | +| auditd.data.cap_fi | file inherited capability map | keyword | +| auditd.data.cap_fp | file permitted capability map | keyword | +| auditd.data.cap_fver | file system capabilities version number | keyword | +| auditd.data.cap_pe | process effective capability map | keyword | +| auditd.data.cap_pi | process inherited capability map | keyword | +| auditd.data.cap_pp | process permitted capability map | keyword | +| auditd.data.capability | posix capabilities | keyword | +| auditd.data.cgroup | path to cgroup in sysfs | keyword | +| auditd.data.changed | number of changed files | long | +| auditd.data.cipher | name of crypto cipher selected | keyword | +| auditd.data.class | resource class assigned to vm | keyword | +| auditd.data.cmd | command being executed | keyword | +| auditd.data.code | seccomp action code | keyword | +| auditd.data.compat | is_compat_task result | keyword | +| auditd.data.daddr | remote IP address | ip | +| auditd.data.data | TTY text | keyword | +| auditd.data.default_context | default MAC context | keyword | +| auditd.data.device | device name | keyword | +| auditd.data.dir | directory name | keyword | +| auditd.data.direction | direction of crypto operation | keyword | +| auditd.data.dmac | remote MAC address | keyword | +| auditd.data.dport | remote port number | long | +| auditd.data.enforcing | new MAC enforcement status | keyword | +| auditd.data.entries | number of entries in the netfilter table | long | +| auditd.data.exit | syscall exit code | long | +| auditd.data.fam | socket address family | keyword | +| auditd.data.family | netfilter protocol | keyword | +| auditd.data.fd | file descriptor number | keyword | +| auditd.data.fe | file assigned effective capability map | keyword | +| auditd.data.feature | kernel feature being changed | keyword | +| auditd.data.fi | file assigned inherited capability map | keyword | +| auditd.data.file | file name | keyword | +| auditd.data.flags | mmap syscall flags | keyword | +| auditd.data.format | audit log's format | keyword | +| auditd.data.fp | crypto key finger print | keyword | +| auditd.data.frootid | | keyword | +| auditd.data.fver | file system capabilities version number | keyword | +| auditd.data.grantors | pam modules approving the action | keyword | +| auditd.data.grp | group name | keyword | +| auditd.data.hook | netfilter hook that packet came from | keyword | +| auditd.data.hostname | the hostname that the user is connecting from | keyword | +| auditd.data.icmp_type | type of icmp message | keyword | +| auditd.data.id | during account changes | keyword | +| auditd.data.igid | ipc object's group ID | keyword | +| auditd.data.img_ctx | the vm's disk image context string | keyword | +| auditd.data.inif | in interface number | keyword | +| auditd.data.ino | inode number | keyword | +| auditd.data.inode_gid | group ID of the inode's owner | keyword | +| auditd.data.inode_uid | user ID of the inode's owner | keyword | +| auditd.data.invalid_context | SELinux context | keyword | +| auditd.data.ioctlcmd | The request argument to the ioctl syscall | keyword | +| auditd.data.ip | network address of a printer | ip | +| auditd.data.ipid | IP datagram fragment identifier | keyword | +| auditd.data.ipx_net | IPX network number | keyword | +| auditd.data.items | the number of path records in the event | long | +| auditd.data.iuid | ipc object's user ID | keyword | +| auditd.data.kernel | kernel's version number | keyword | +| auditd.data.kind | server or client in crypto operation | keyword | +| auditd.data.ksize | key size for crypto operation | keyword | +| auditd.data.laddr | local network address | keyword | +| auditd.data.len | length | keyword | +| auditd.data.list | the audit system's filter list number | keyword | +| auditd.data.lport | local network port | long | +| auditd.data.mac | crypto MAC algorithm selected | keyword | +| auditd.data.macproto | ethernet packet type ID field | keyword | +| auditd.data.maj | device major number | keyword | +| auditd.data.major | device major number | keyword | +| auditd.data.minor | device minor number | keyword | +| auditd.data.model | security model being used for virt | keyword | +| auditd.data.msg | the payload of the audit record | keyword | +| auditd.data.nargs | the number of arguments to a socket call | long | +| auditd.data.net | network MAC address | keyword | +| auditd.data.new | value being set in feature | keyword | +| auditd.data.new_chardev | new character device being assigned to vm | keyword | +| auditd.data.new_disk | disk being added to vm | keyword | +| auditd.data.new_enabled | new TTY audit enabled setting | keyword | +| auditd.data.new_fs | file system being added to vm | keyword | +| auditd.data.new_gid | new group ID being assigned | keyword | +| auditd.data.new_level | new run level | keyword | +| auditd.data.new_lock | new value of feature lock | keyword | +| auditd.data.new_log_passwd | new value for TTY password logging | keyword | +| auditd.data.new_mem | new amount of memory in KB | keyword | +| auditd.data.new_net | MAC address being assigned to vm | keyword | +| auditd.data.new_pe | new process effective capability map | keyword | +| auditd.data.new_pi | new process inherited capability map | keyword | +| auditd.data.new_pp | new process permitted capability map | keyword | +| auditd.data.new_range | new SELinux range | keyword | +| auditd.data.new_rng | device name of rng being added from a vm | keyword | +| auditd.data.new_role | new SELinux role | keyword | +| auditd.data.new_ses | ses value | keyword | +| auditd.data.new_seuser | new SELinux user | keyword | +| auditd.data.new_vcpu | new number of CPU cores | long | +| auditd.data.nlnk_fam | netlink protocol number | keyword | +| auditd.data.nlnk_grp | netlink group number | keyword | +| auditd.data.nlnk_pid | pid of netlink packet sender | long | +| auditd.data.oauid | object's login user ID | keyword | +| auditd.data.obj | lspp object context string | keyword | +| auditd.data.obj_gid | group ID of object | keyword | +| auditd.data.obj_uid | user ID of object | keyword | +| auditd.data.ocomm | object's command line name | keyword | +| auditd.data.oflag | open syscall flags | keyword | +| auditd.data.old | old value | keyword | +| auditd.data.old_auid | previous auid value | keyword | +| auditd.data.old_chardev | present character device assigned to vm | keyword | +| auditd.data.old_disk | disk being removed from vm | keyword | +| auditd.data.old_enabled | present TTY audit enabled setting | keyword | +| auditd.data.old_enforcing | old MAC enforcement status | keyword | +| auditd.data.old_fs | file system being removed from vm | keyword | +| auditd.data.old_level | old run level | keyword | +| auditd.data.old_lock | present value of feature lock | keyword | +| auditd.data.old_log_passwd | present value for TTY password logging | keyword | +| auditd.data.old_mem | present amount of memory in KB | keyword | +| auditd.data.old_net | present MAC address assigned to vm | keyword | +| auditd.data.old_pa | | keyword | +| auditd.data.old_pe | old process effective capability map | keyword | +| auditd.data.old_pi | old process inherited capability map | keyword | +| auditd.data.old_pp | old process permitted capability map | keyword | +| auditd.data.old_prom | network promiscuity flag | keyword | +| auditd.data.old_range | present SELinux range | keyword | +| auditd.data.old_rng | device name of rng being removed from a vm | keyword | +| auditd.data.old_role | present SELinux role | keyword | +| auditd.data.old_ses | previous ses value | keyword | +| auditd.data.old_seuser | present SELinux user | keyword | +| auditd.data.old_val | current value of SELinux boolean | keyword | +| auditd.data.old_vcpu | present number of CPU cores | long | +| auditd.data.op | the operation being performed that is audited | keyword | +| auditd.data.opid | object's process ID | long | +| auditd.data.oses | object's session ID | keyword | +| auditd.data.outif | out interface number | keyword | +| auditd.data.pa | | keyword | +| auditd.data.parent | the inode number of the parent file | keyword | +| auditd.data.pe | | keyword | +| auditd.data.per | linux personality | keyword | +| auditd.data.perm | the file permission being used | keyword | +| auditd.data.perm_mask | file permission mask that triggered a watch event | keyword | +| auditd.data.permissive | SELinux is in permissive mode | keyword | +| auditd.data.pfs | perfect forward secrecy method | keyword | +| auditd.data.pi | | keyword | +| auditd.data.pp | | keyword | +| auditd.data.printer | printer name | keyword | +| auditd.data.prom | network promiscuity flag | keyword | +| auditd.data.proto | network protocol | keyword | +| auditd.data.qbytes | ipc objects quantity of bytes | keyword | +| auditd.data.range | user's SE Linux range | keyword | +| auditd.data.reason | text string denoting a reason for the action | keyword | +| auditd.data.removed | number of deleted files | long | +| auditd.data.res | result of the audited operation(success/fail) | keyword | +| auditd.data.reset | | keyword | +| auditd.data.resrc | resource being assigned | keyword | +| auditd.data.result | | keyword | +| auditd.data.rport | remote port number | long | +| auditd.data.sauid | sent login user ID | keyword | +| auditd.data.scontext | the subject's context string | keyword | +| auditd.data.selected_context | new MAC context assigned to session | keyword | +| auditd.data.seperm | SELinux permission being decided on | keyword | +| auditd.data.seperms | SELinux permissions being used | keyword | +| auditd.data.seqno | sequence number | long | +| auditd.data.seresult | SELinux AVC decision granted/denied | keyword | +| auditd.data.ses | login session ID | keyword | +| auditd.data.seuser | user's SE Linux user acct | keyword | +| auditd.data.sig | signal number | keyword | +| auditd.data.sigev_signo | signal number | keyword | +| auditd.data.smac | local MAC address | keyword | +| auditd.data.socket.addr | The remote address. | keyword | +| auditd.data.socket.family | The socket family (unix, ipv4, ipv6, netlink). | keyword | +| auditd.data.socket.path | This is the path associated with a unix socket. | keyword | +| auditd.data.socket.port | The port number. | long | +| auditd.data.socket.saddr | The raw socket address structure. | keyword | +| auditd.data.spid | sent process ID | long | +| auditd.data.sport | local port number | long | +| auditd.data.state | audit daemon configuration resulting state | keyword | +| auditd.data.subj | lspp subject's context string | keyword | +| auditd.data.success | whether the syscall was successful or not | keyword | +| auditd.data.syscall | syscall number in effect when the event occurred | keyword | +| auditd.data.table | netfilter table name | keyword | +| auditd.data.tclass | target's object classification | keyword | +| auditd.data.tcontext | the target's or object's context string | keyword | +| auditd.data.terminal | terminal name the user is running programs on | keyword | +| auditd.data.tty | tty udevice the user is running programs on | keyword | +| auditd.data.unit | systemd unit | keyword | +| auditd.data.uri | URI pointing to a printer | keyword | +| auditd.data.uuid | a UUID | keyword | +| auditd.data.val | generic value associated with the operation | keyword | +| auditd.data.ver | audit daemon's version number | keyword | +| auditd.data.virt | kind of virtualization being referenced | keyword | +| auditd.data.vm | virtual machine name | keyword | +| auditd.data.vm_ctx | the vm's context string | keyword | +| auditd.data.vm_pid | vm's process ID | long | +| auditd.data.watch | file name in a watch record | keyword | +| auditd.file.selinux.domain | The actor's SELinux domain or type. | keyword | +| auditd.file.selinux.level | The actor's SELinux level. | keyword | +| auditd.file.selinux.role | User's SELinux role | keyword | +| auditd.file.selinux.user | Account submitted for authentication | keyword | +| auditd.message_type | The audit message type (e.g. syscall or apparmor_denied). | keyword | +| auditd.messages | An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config. | keyword | +| auditd.paths | | flattened | +| auditd.paths.dev | Device name as found in /dev | keyword | +| auditd.paths.inode | inode number | keyword | +| auditd.paths.item | Which item is being recorded | keyword | +| auditd.paths.mode | Mode flags on a file | keyword | +| auditd.paths.name | | keyword | +| auditd.paths.nametype | Kind of file operation being referenced | keyword | +| auditd.paths.obj_domain | | keyword | +| auditd.paths.obj_level | | keyword | +| auditd.paths.obj_role | | keyword | +| auditd.paths.obj_type | | keyword | +| auditd.paths.obj_user | | keyword | +| auditd.paths.ogid | File owner group ID | keyword | +| auditd.paths.ouid | File owner user ID | keyword | +| auditd.paths.rdev | The device identifier (special files only) | keyword | +| auditd.result | The result of the audited operation (success/fail). | keyword | +| auditd.session | The session ID assigned to a login. All events related to a login session will have the same value. | keyword | +| auditd.summary.actor.primary | The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. | keyword | +| auditd.summary.actor.secondary | The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su. | keyword | +| auditd.summary.how | This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. | keyword | +| auditd.summary.object.primary | | keyword | +| auditd.summary.object.secondary | | keyword | +| auditd.summary.object.type | A description of the what the "thing" is (e.g. file, socket, user-session). | keyword | +| auditd.user.audit.id | | keyword | +| auditd.user.audit.name | | keyword | +| auditd.user.filesystem.group.id | | keyword | +| auditd.user.filesystem.group.name | | keyword | +| auditd.user.filesystem.id | | keyword | +| auditd.user.filesystem.name | | keyword | +| auditd.user.new_auid.id | | keyword | +| auditd.user.new_auid.name | | keyword | +| auditd.user.old_auid.id | | keyword | +| auditd.user.old_auid.name | | keyword | +| auditd.user.saved.group.id | | keyword | +| auditd.user.saved.group.name | | keyword | +| auditd.user.saved.id | | keyword | +| auditd.user.saved.name | | keyword | +| auditd.user.selinux.category | The actor's SELinux category or compartments. | keyword | +| auditd.user.selinux.domain | The actor's SELinux domain or type. | keyword | +| auditd.user.selinux.level | The actor's SELinux level. | keyword | +| auditd.user.selinux.role | User's SELinux role | keyword | +| auditd.user.selinux.user | Account submitted for authentication | keyword | +| auditd.warnings | The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| file.device | Device that is the source of the file. | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + diff --git a/packages/auditd_manager/1.0.0/img/executions.png b/packages/auditd_manager/1.0.0/img/executions.png new file mode 100755 index 0000000000..0d490acd6c Binary files /dev/null and b/packages/auditd_manager/1.0.0/img/executions.png differ diff --git a/packages/auditd_manager/1.0.0/img/linux.svg b/packages/auditd_manager/1.0.0/img/linux.svg new file mode 100755 index 0000000000..c0a92e0c0f --- /dev/null +++ b/packages/auditd_manager/1.0.0/img/linux.svg @@ -0,0 +1,1532 @@ + + + + Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + Tux + 20 June 2012 + + + Garrett LeSage + + + + + + Larry Ewing, the creator of the original Tux graphic + + + + + tux + Linux + penguin + logo + + + + + Larry Ewing, Garrett LeSage + + + https://github.com/garrett/Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/auditd_manager/1.0.0/img/overview.png b/packages/auditd_manager/1.0.0/img/overview.png new file mode 100755 index 0000000000..dbc3e91031 Binary files /dev/null and b/packages/auditd_manager/1.0.0/img/overview.png differ diff --git a/packages/auditd_manager/1.0.0/img/sockets.png b/packages/auditd_manager/1.0.0/img/sockets.png new file mode 100755 index 0000000000..152107aa06 Binary files /dev/null and b/packages/auditd_manager/1.0.0/img/sockets.png differ diff --git a/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json new file mode 100755 index 0000000000..c1f37294df --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "Summary of socket related syscall events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd_manager.auditd\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"#### [Overview](/app/dashboards#/view/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16) - **Sockets** - [Executions](/app/dashboards#/view/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16)\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":4,\"i\":\"2b0bfe71-70d5-431c-a7ae-45b965ce1b16\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"2b0bfe71-70d5-431c-a7ae-45b965ce1b16\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"95b603d0-c252-11e7-8a68-93ffe9ec5950\"}],\"bar_color_rules\":[{\"id\":\"2cebb0c0-c252-11e7-8a68-93ffe9ec5950\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"auditd.summary.object.type:socket\"},\"gauge_color_rules\":[{\"id\":\"6c891740-c252-11e7-8a68-93ffe9ec5950\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"legend_position\":\"left\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"syscall\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"auditd.data.syscall\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"a9f3b71d-3b8f-44c0-b581-ba208c117e05\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"a9f3b71d-3b8f-44c0-b581-ba208c117e05\",\"title\":\"[Auditd Manager] Socket Syscalls Time Series\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Socket Family\",\"field\":\"auditd.data.socket.family\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Syscall\",\"field\":\"auditd.data.syscall\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addTooltip\":true,\"distinctColors\":true,\"emptySizeRatio\":0.3,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendDisplay\":\"show\",\"legendPosition\":\"left\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"type\":\"pie\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"843ccc25-3963-4bd5-838e-b40019bcf3c5\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"843ccc25-3963-4bd5-838e-b40019bcf3c5\",\"title\":\"[Auditd Manager] Socket Families\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Exe\",\"field\":\"auditd.summary.how\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Address\",\"field\":\"auditd.summary.object.primary\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Port\",\"field\":\"auditd.summary.object.secondary\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"apply\":true,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"auditd.summary.object.secondary\",\"negate\":true,\"params\":{\"query\":\"0\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\"},\"query\":{\"match\":{\"auditd.summary.object.secondary\":{\"query\":\"0\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"type\":\"table\",\"uiState\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}},\"gridData\":{\"h\":16,\"i\":\"1e9272d7-090a-443b-bc0c-3d8afae53e76\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"1e9272d7-090a-443b-bc0c-3d8afae53e76\",\"title\":\"[Auditd Manager] Bind (non-ephemeral)\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Exe\",\"field\":\"process.executable\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Address\",\"field\":\"auditd.summary.object.primary\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Port\",\"field\":\"auditd.summary.object.secondary\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"type\":\"table\",\"uiState\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}},\"gridData\":{\"h\":20,\"i\":\"d91afd3e-4c8e-41d9-b038-78bcffbe1e0e\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"d91afd3e-4c8e-41d9-b038-78bcffbe1e0e\",\"title\":\"[Auditd Manager] Connect\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Addresses\",\"emptyAsNull\":false,\"field\":\"auditd.summary.object.primary\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Exe\",\"field\":\"process.executable\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Syscall\",\"field\":\"auditd.data.syscall\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"type\":\"table\",\"uiState\":{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}},\"gridData\":{\"h\":20,\"i\":\"cd08c022-92e5-4012-a94d-6e459948c42c\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"cd08c022-92e5-4012-a94d-6e459948c42c\",\"title\":\"[Auditd Manager] Accept / Recvfrom Unique Address Table\",\"type\":\"visualization\",\"version\":\"8.2.0\"}]", + "timeRestore": false, + "title": "[Auditd Manager] Sockets", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "843ccc25-3963-4bd5-838e-b40019bcf3c5:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a", + "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a", + "name": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e:search_0", + "type": "search" + }, + { + "id": "auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a", + "name": "cd08c022-92e5-4012-a94d-6e459948c42c:search_0", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json b/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json new file mode 100755 index 0000000000..9e03776020 --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "description": "Overview of kernel executions", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd_manager.auditd\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"search\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"#### [Overview](/app/dashboards#/view/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16) - [Sockets](/app/dashboards#/view/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a) - **Executions**\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":4,\"i\":\"f2ce7c72-d0f9-41a5-8738-11d4820c0774\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f2ce7c72-d0f9-41a5-8738-11d4820c0774\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"auditd.summary.actor.primary\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":45,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67\",\"title\":\"[Auditd Manager] Primary Username Tag Cloud\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"process.executable\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":45,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"459f779e-e668-4048-a1d5-fa5806262646\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"459f779e-e668-4048-a1d5-fa5806262646\",\"title\":\"[Auditd Manager] Executable Name Tag Cloud\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"auditd.data.exit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"Command executions\",\"params\":{\"addTooltip\":true,\"distinctColors\":true,\"emptySizeRatio\":0.3,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"type\":\"pie\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"b65a07a2-a0d7-4dab-921a-8afbe066d025\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"b65a07a2-a0d7-4dab-921a-8afbe066d025\",\"title\":\"[Auditd Manager] Error Codes\",\"type\":\"visualization\",\"version\":\"8.2.0\"}]", + "timeRestore": false, + "title": "[Auditd Manager] Executions", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "name": "6:panel_6", + "type": "search" + }, + { + "id": "logs-*", + "name": "4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "name": "459f779e-e668-4048-a1d5-fa5806262646:search_0", + "type": "search" + }, + { + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "name": "b65a07a2-a0d7-4dab-921a-8afbe066d025:search_0", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json b/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json new file mode 100755 index 0000000000..2999bd23c4 --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Summary of Linux kernel audit events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd_manager.auditd\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"#### **Overview** - [Sockets](/app/dashboards#/view/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a) - [Executions](/app/dashboards#/view/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16)\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":4,\"i\":\"7969164a-3810-485c-b3ad-948b1930f6d0\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7969164a-3810-485c-b3ad-948b1930f6d0\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"58c95a20-c1bd-11e7-938f-ab0645b6c431\"}],\"bar_color_rules\":[{\"id\":\"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"5d20a650-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"legend_position\":\"left\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Actions\",\"line_width\":1,\"metrics\":[{\"id\":\"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"event.action\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"c89b1ae9-3f74-4088-bb68-a0fdcf3aad94\",\"w\":28,\"x\":0,\"y\":4},\"panelIndex\":\"c89b1ae9-3f74-4088-bb68-a0fdcf3aad94\",\"title\":\"[Auditd Manager] Event Actions\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"event.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addTooltip\":true,\"distinctColors\":true,\"emptySizeRatio\":0.3,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"type\":\"pie\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"af0b3b3c-90d5-4490-a2d0-9c0050d2adf5\",\"w\":20,\"x\":28,\"y\":4},\"panelIndex\":\"af0b3b3c-90d5-4490-a2d0-9c0050d2adf5\",\"title\":\"[Auditd Manager] Event Categories\",\"type\":\"visualization\",\"version\":\"8.2.0\"}]", + "timeRestore": false, + "title": "[Auditd Manager] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16", + "name": "5:panel_5", + "type": "search" + }, + { + "id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16", + "name": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5:search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json new file mode 100755 index 0000000000..4c53fd2da1 --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json @@ -0,0 +1,41 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.actor.primary", + "auditd.summary.actor.secondary", + "event.action", + "auditd.summary.object.type", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.summary.how", + "auditd.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Audit Event Table", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json new file mode 100755 index 0000000000..63e7c57b07 --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "auditd.result", + "auditd.data.exit" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"connected-to\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"connected-to\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"connected-to\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"auditd.summary.object.primary\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"auditd.summary.object.primary\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Socket Connects", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json new file mode 100755 index 0000000000..46d2f5f2e0 --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "auditd.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"auditd.data.syscall\",\"negate\":false,\"params\":{\"query\":\"bind\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"bind\"},\"query\":{\"match\":{\"auditd.data.syscall\":{\"query\":\"bind\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"auditd.data.socket.family\",\"negate\":true,\"params\":{\"query\":\"netlink\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"netlink\"},\"query\":{\"match\":{\"auditd.data.socket.family\":{\"query\":\"netlink\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Socket Binds", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json new file mode 100755 index 0000000000..1e16eb0f3f --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "process.args", + "auditd.summary.actor.primary", + "auditd.summary.actor.secondary", + "process.executable" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"executed\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"executed\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"executed\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Process Executions", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json new file mode 100755 index 0000000000..6e60d6d77a --- /dev/null +++ b/packages/auditd_manager/1.0.0/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"auditd.summary.object.type\",\"negate\":false,\"params\":{\"query\":\"socket\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"socket\"},\"query\":{\"match\":{\"auditd.summary.object.type\":{\"query\":\"socket\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"auditd.summary.object.primary\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"auditd.summary.object.primary\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"terms\\\":{\\\"auditd.data.syscall\\\":[\\\"accept\\\",\\\"accept4\\\",\\\"recvfrom\\\",\\\"recvmsg\\\"]}}\"},\"query\":{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Socket Accept / Recvfrom", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/1.0.0/manifest.yml b/packages/auditd_manager/1.0.0/manifest.yml new file mode 100755 index 0000000000..54cdec9e08 --- /dev/null +++ b/packages/auditd_manager/1.0.0/manifest.yml @@ -0,0 +1,41 @@ +format_version: 1.0.0 +name: auditd_manager +title: "Auditd Manager" +version: 1.0.0 +release: ga +license: basic +description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel." +type: integration +categories: + - os_system + - security +conditions: + kibana.version: "^8.2.0" +screenshots: + - src: /img/overview.png + title: Overview Dashboard + size: 1374x903 + type: image/png + - src: /img/sockets.png + title: Sockets Dashboard + size: 1362x1043 + type: image/png + - src: /img/executions.png + title: Executions Dashboard + size: 1375x900 + type: image/png +icons: + - src: /img/linux.svg + title: linux + size: 299x354 + type: image/svg+xml +policy_templates: + - name: auditd + title: Auditd + description: Collect auditd events + inputs: + - type: audit/auditd + title: Collect auditd events + description: Collecting auditd events +owner: + github: elastic/security-external-integrations diff --git a/packages/checkpoint/1.5.0/changelog.yml b/packages/checkpoint/1.5.0/changelog.yml new file mode 100755 index 0000000000..9354e1e7e0 --- /dev/null +++ b/packages/checkpoint/1.5.0/changelog.yml @@ -0,0 +1,121 @@ +# newer versions go on top +- version: "1.5.0" + changes: + - description: Add TLS and custom options support to TCP input. + type: enhancement + link: https://github.com/elastic/integrations/pull/3317 +- version: "1.4.0" + changes: + - description: Update to ECS 8.2 to use new email field set. + type: enhancement + link: https://github.com/elastic/integrations/pull/2803 +- version: "1.3.6" + changes: + - description: Fixed parsing error when logs have trailing spaces + type: bugfix + link: https://github.com/elastic/integrations/pull/3035 +- version: "1.3.5" + changes: + - description: Added link to check point documentation. + type: enhancement + link: https://github.com/elastic/integrations/pull/2926 +- version: "1.3.4" + changes: + - description: Change mapping type of checkpoint.source_object to keyword from integer. + type: bugfix + link: https://github.com/elastic/integrations/pull/2951 +- version: "1.3.3" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.3.2" + changes: + - description: Fix field mapping conflicts for `checkpoint.icmp_type`, `checkpoint.icmp_code` & `checkpoint.email_recipients_num` + type: bugfix + link: https://github.com/elastic/integrations/pull/2895 +- version: "1.3.1" + changes: + - description: Add Ingest Pipeline script to map IANA Protocol Numbers + type: bugfix + link: https://github.com/elastic/integrations/pull/2470 +- version: "1.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2387 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2231 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1951 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1803 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1653 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1605 +- version: "0.8.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1470 +- version: '0.8.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1376 +- version: "0.8.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.7.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1256 +- version: "0.6.0" + changes: + - description: update to ECS 1.10.0 and syncing module changes + type: enhancement + link: https://github.com/elastic/integrations/pull/1033 +- version: "0.5.2" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/839 +- version: "0.5.1" + changes: + - description: Change kibana.version constraint to be more conservative. + type: bugfix + link: https://github.com/elastic/integrations/pull/749 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/220 diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/log.yml.hbs b/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..24ecbba6d7 --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/log.yml.hbs @@ -0,0 +1,38 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_zones.length}} +- add_fields: + target: _temp_ + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} +- add_fields: + target: _temp_ + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..cc8e682ac4 --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -0,0 +1,40 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_zones.length}} +- add_fields: + target: _temp_ + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} +- add_fields: + target: _temp_ + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if tcp_options.length}} +{{tcp_options}} +{{/if}} diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..79ed0fc89d --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/agent/stream/udp.yml.hbs @@ -0,0 +1,34 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_zones.length}} +- add_fields: + target: _temp_ + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} +- add_fields: + target: _temp_ + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/1.5.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..6de6cf8bbd --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,835 @@ +--- +description: Pipeline for parsing checkpoint firewall logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - '%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) + +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) + +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) + +\[%{GREEDYDATA:syslog5424_sd}\]' + - kv: + field: syslog5424_sd + field_split: "; " + value_split: ":" + trim_key: " " + trim_value: " " + prefix: checkpoint. + strip_brackets: true + ignore_failure: true + exclude_keys: + - flags + - layer_uuid + - originsicname + - __policy_id_tag + - version + - rounded_bytes + - db_tag + - update_service + - remove: + field: + - syslog5424_sd + - syslog5424_app + - syslog5424_host + - syslog5424_msgid + - syslog5424_pri + - syslog5424_proc + - syslog5424_ver + - host + ignore_missing: true + - rename: + field: "@timestamp" + target_field: "event.created" + ignore_missing: true + - date: + field: "syslog5424_ts" + formats: ["ISO8601", "UNIX"] + if: "ctx.checkpoint?.time == null" + - append: + field: event.category + value: network + if: ctx.checkpoint?.operation != 'Log In' + - set: + field: observer.vendor + value: Checkpoint + - set: + field: observer.type + value: firewall + if: ctx.checkpoint?.type == null + - set: + field: observer.product + value: "{{checkpoint.product}}" + ignore_empty_value: true + - rename: + field: checkpoint.src + target_field: source.ip + ignore_missing: true + - rename: + field: checkpoint.client_ip + target_field: source.ip + ignore_missing: true + if: ctx.source?.ip == null + - rename: + field: checkpoint.xlatesrc + target_field: source.nat.ip + if: "ctx.checkpoint?.xlatesrc != '0.0.0.0'" + ignore_missing: true + - rename: + field: checkpoint.dst + target_field: destination.ip + ignore_missing: true + - rename: + field: checkpoint.xlatedst + target_field: destination.nat.ip + if: "ctx.checkpoint?.xlatedst != '0.0.0.0'" + ignore_missing: true + - rename: + field: checkpoint.uid + target_field: source.user.id + ignore_missing: true + - rename: + field: checkpoint.administrator + target_field: source.user.name + ignore_missing: true + - rename: + field: checkpoint.source_user_name + target_field: source.user.name + if: ctx.source?.user?.name == null + ignore_missing: true + - convert: + field: checkpoint.client_outbound_packets + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: checkpoint.server_outbound_packets + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: checkpoint.client_outbound_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: checkpoint.sent_byte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: ctx.source?.bytes == null + - convert: + field: checkpoint.server_outbound_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: checkpoint.received_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: ctx.destination?.bytes == null + - convert: + field: checkpoint.service + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: checkpoint.xlatedport + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.checkpoint?.xlatedport != '0'" + - convert: + field: checkpoint.s_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: checkpoint.xlatesport + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.checkpoint?.xlatesport != '0'" + - rename: + field: checkpoint.mac_source_address + target_field: source.mac + ignore_missing: true + - rename: + field: checkpoint.src_machine_name + target_field: source.domain + ignore_missing: true + - rename: + field: checkpoint.destination_dns_hostname + target_field: destination.domain + ignore_missing: true + - rename: + field: checkpoint.dst_machine_name + target_field: destination.domain + if: ctx.server?.domain == null + ignore_missing: true + - rename: + field: checkpoint.src_user_group + target_field: source.user.group.name + ignore_missing: true + - append: + field: event.category + value: authentication + if: ctx.checkpoint?.operation == 'Log In' + - set: + field: event.kind + value: alert + if: "['Prevent', 'Detect', 'Quarantine'].contains(ctx.checkpoint?.rule_action)" + - set: + field: event.kind + value: event + if: ctx.event?.kind == null + - set: + field: event.outcome + value: success + if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)" + - append: + field: event.type + value: + - allowed + - connection + if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)" + - set: + field: event.outcome + value: success + if: ctx.checkpoint?.audit_status == 'Success' + - set: + field: event.outcome + value: failure + if: ctx.checkpoint?.audit_status == 'Failure' + - set: + field: event.outcome + value: success + if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)" + - append: + field: event.type + value: + - connection + - denied + if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)" + - append: + field: event.category + value: malware + if: ctx.checkpoint?.malware_action != null + - append: + field: event.category + value: intrusion_detection + if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)" + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: ctx.source?.nat?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + if: ctx.destination?.ip != null + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: ctx.destination?.nat?.ip != null + - append: + field: related.hash + value: "{{checkpoint.file_md5}}" + if: ctx.checkpoint?.file_md5 != null + - append: + field: related.hash + value: "{{checkpoint.file_sha1}}" + if: ctx.checkpoint?.file_sha1 != null + - append: + field: related.hash + value: "{{checkpoint.file_sha256}}" + if: ctx.checkpoint?.file_sha256 != null + - rename: + field: checkpoint.from + target_field: source.user.email + ignore_missing: true + - rename: + field: checkpoint.to + target_field: destination.user.email + ignore_missing: true + - set: + field: email.from.address + value: ["{{{destination.user.email}}}"] + if: "ctx?.destination?.user?.email != null" + - set: + field: email.to.address + value: ["{{{destination.user.email}}}"] + if: "ctx?.destination?.user?.email != null" + - append: + field: email.from.address + value: "{{{checkpoint.mime_from}}}" + if: "ctx?.checkpoint?.mime_from != null" + - append: + field: email.to.address + value: "{{{checkpoint.mime_to}}}" + if: "ctx?.checkpoint?.mime_to != null" + - set: + field: email.subject + copy_from: checkpoint.email_subject + if: "ctx?.checkpoint?.email_subject != null" + - append: + field: email.bcc.address + value: "{{{checkpoint.bcc}}}" + if: "ctx?.checkpoint?.bcc != null" + - append: + field: email.cc.address + value: "{{{checkpoint.cc}}}" + if: "ctx?.checkpoint?.cc != null" + - set: + field: email.delivery_timestamp + copy_from: checkpoint.delivery_time + if: "ctx?.checkpoint?.delivery_time != null" + - set: + field: email.message_id + copy_from: checkpoint.email_message_id + if: "ctx?.checkpoint?.email_message_id != null" + - set: + field: email.local_id + copy_from: checkpoint.email_queue_id + if: "ctx?.checkpoint?.email_queue_id != null" + - rename: + field: checkpoint.usercheck_incident_uid + target_field: destination.user.id + ignore_missing: true + - rename: + field: checkpoint.service_name + target_field: destination.service.name + ignore_missing: true + - rename: + field: checkpoint.mac_destination_address + target_field: destination.mac + ignore_missing: true + - rename: + field: checkpoint.dns_type + target_field: dns.question.type + ignore_missing: true + - rename: + field: checkpoint.domain_name + target_field: dns.question.name + ignore_missing: true + - rename: + field: checkpoint.dns_message_type + target_field: dns.type + ignore_missing: true + - rename: + field: checkpoint.tid + target_field: dns.id + ignore_missing: true + - rename: + field: checkpoint.loguid + target_field: event.id + ignore_missing: true + - convert: + field: checkpoint.sequencenum + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: checkpoint.severity + target_field: event.severity + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: checkpoint.action + target_field: event.action + ignore_missing: true + - rename: + field: checkpoint.packet_capture + target_field: event.url + ignore_missing: true + - rename: + field: checkpoint.start_time + target_field: event.start + ignore_missing: true + - rename: + field: checkpoint.first_detection + target_field: event.start + ignore_missing: true + if: ctx.event?.start == null + - rename: + field: checkpoint.last_detection + target_field: event.end + ignore_missing: true + - rename: + field: checkpoint.app_risk + target_field: event.risk_score + ignore_missing: true + - rename: + field: checkpoint.file_id + target_field: file.inode + ignore_missing: true + - rename: + field: checkpoint.file_type + target_field: file.type + ignore_missing: true + - rename: + field: checkpoint.file_name + target_field: file.name + ignore_missing: true + - convert: + field: checkpoint.file_size + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: checkpoint.file_md5 + target_field: file.hash.md5 + ignore_missing: true + - rename: + field: checkpoint.file_sha1 + target_field: file.hash.sha1 + ignore_missing: true + - rename: + field: checkpoint.file_sha256 + target_field: file.hash.sha256 + ignore_missing: true + - rename: + field: checkpoint.dlp_file_name + target_field: file.name + ignore_missing: true + - rename: + field: checkpoint.user_group + target_field: group.name + ignore_missing: true + - rename: + field: checkpoint.os_version + target_field: host.os.version + ignore_missing: true + - rename: + field: checkpoint.os_name + target_field: host.os.name + ignore_missing: true + - rename: + field: checkpoint.method + target_field: http.request.method + ignore_missing: true + - rename: + field: checkpoint.referrer + target_field: http.request.referrer + ignore_missing: true + - rename: + field: checkpoint.service_id + target_field: network.application + ignore_missing: true + - rename: + field: checkpoint.ifdir + target_field: network.direction + ignore_missing: true + - rename: + field: checkpoint.bytes + target_field: network.bytes + ignore_missing: true + - rename: + field: checkpoint.proto + target_field: network.iana_number + ignore_missing: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - rename: + field: checkpoint.packets + target_field: network.packets + ignore_missing: true + - rename: + field: checkpoint.layer_name + target_field: network.name + ignore_missing: true + - rename: + field: checkpoint.app_name + target_field: network.application + ignore_missing: true + - rename: + field: checkpoint.client_inbound_interface + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: checkpoint.client_outbound_interface + target_field: observer.egress.interface.name + ignore_missing: true + - rename: + field: checkpoint.ifname + target_field: observer.ingress.interface.name + ignore_missing: true + if: ctx.network?.direction == 'inbound' + - rename: + field: checkpoint.ifname + target_field: observer.egress.interface.name + ignore_missing: true + if: ctx.network?.direction == 'outbound' + - rename: + field: checkpoint.type + target_field: observer.type + ignore_missing: true + - rename: + field: checkpoint.origin + target_field: observer.name + ignore_missing: true + - rename: + field: checkpoint.origin_ip + target_field: observer.ip + ignore_missing: true + - rename: + field: checkpoint.endpoint_ip + target_field: observer.ip + ignore_missing: true + if: ctx.observer?.ip == null + - rename: + field: checkpoint.outzone + target_field: observer.egress.zone + ignore_missing: true + - rename: + field: checkpoint.inzone + target_field: observer.ingress.zone + ignore_missing: true + - rename: + field: checkpoint.security_outzone + target_field: observer.egress.zone + ignore_missing: true + if: ctx.observer?.egress?.zone == null + - rename: + field: checkpoint.security_inzone + target_field: observer.ingress.zone + ignore_missing: true + if: ctx.observer?.ingress?.zone == null + - rename: + field: checkpoint.update_version + target_field: observer.version + ignore_missing: true + - rename: + field: checkpoint.process_md5 + target_field: process.hash.md5 + ignore_missing: true + - rename: + field: checkpoint.process_name + target_field: process.name + ignore_missing: true + - rename: + field: checkpoint.parent_process_md5 + target_field: process.parent.hash.md5 + ignore_missing: true + - rename: + field: checkpoint.parent_process_name + target_field: process.parent.name + ignore_missing: true + - rename: + field: checkpoint.matched_category + target_field: rule.category + ignore_missing: true + - rename: + field: checkpoint.categories + target_field: rule.category + ignore_missing: true + if: ctx.rule?.category == null + - rename: + field: checkpoint.malware_action + target_field: rule.description + ignore_missing: true + - rename: + field: checkpoint.malware_rule_id + target_field: rule.id + ignore_missing: true + - rename: + field: checkpoint.app_rule_id + target_field: rule.id + ignore_missing: true + if: ctx.rule?.id == null + - rename: + field: checkpoint.objectname + target_field: rule.name + ignore_missing: true + - rename: + field: checkpoint.rule_name + target_field: rule.name + ignore_missing: true + if: ctx.rule?.name == null + - rename: + field: checkpoint.malware_rule_name + target_field: rule.name + ignore_missing: true + if: ctx.rule?.name == null + - rename: + field: checkpoint.app_rule_name + target_field: rule.name + ignore_missing: true + if: ctx.rule?.name == null + - rename: + field: checkpoint.dlp_rule_name + target_field: rule.name + ignore_missing: true + if: ctx.rule?.name == null + - rename: + field: checkpoint.smartdefence_profile + target_field: rule.ruleset + ignore_missing: true + - rename: + field: checkpoint.policy + target_field: rule.ruleset + ignore_missing: true + if: ctx.rule?.ruleset == null + - rename: + field: checkpoint.rule_uid + target_field: rule.uuid + ignore_missing: true + - rename: + field: checkpoint.dlp_rule_uid + target_field: rule.uuid + ignore_missing: true + if: ctx.rule?.uuid == null + - rename: + field: checkpoint.url + target_field: url.original + ignore_missing: true + - rename: + field: checkpoint.resource + target_field: url.original + ignore_missing: true + if: ctx.url?.original == null + - rename: + field: checkpoint.http_host + target_field: url.domain + ignore_missing: true + - rename: + field: checkpoint.web_client_type + target_field: user_agent.name + ignore_missing: true + - rename: + field: checkpoint.user_agent + target_field: user_agent.original + ignore_missing: true + - rename: + field: checkpoint.industry_reference + target_field: vulnerability.id + ignore_missing: true + - date: + field: "checkpoint.time" + formats: ["ISO8601", "UNIX"] + if: "ctx.checkpoint?.time != null" + - rename: + field: checkpoint.message + target_field: message + ignore_missing: true + - rename: + field: checkpoint.reason + target_field: message + ignore_missing: true + if: ctx.message == null + - rename: + field: checkpoint.subject + target_field: message + ignore_missing: true + if: ctx.message == null + - gsub: + field: checkpoint.sys_message + pattern: ^:" + replacement: "" + if: ctx.checkpoint?.sys_message != null + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx.source?.user?.name != null + - append: + field: related.user + value: "{{destination.user.name}}" + if: ctx.destination?.user?.name != null + - script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: ctx?.source?.bytes != null && ctx?.destination?.bytes != null && ctx?.network?.bytes == null + ignore_failure: true + - script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null + ignore_failure: true + - rename: + field: checkpoint.action_reason + target_field: checkpoint.action_reason_msg + if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ") + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: ctx.source?.geo == null + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: ctx.destination?.geo == null + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # Handle zone-based network directionality + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + - remove: + field: + - checkpoint.client_outbound_packets + - checkpoint.server_outbound_packets + - checkpoint.client_outbound_bytes + - checkpoint.sent_byte + - checkpoint.server_outbound_bytes + - checkpoint.received_bytes + - checkpoint.service + - checkpoint.xlatedport + - checkpoint.s_port + - checkpoint.xlatesport + - checkpoint.sequencenum + - checkpoint.file_size + - checkpoint.product + - checkpoint.severity + - checkpoint.xlatesrc + - checkpoint.xlatedst + - checkpoint.uid + - checkpoint.time + - syslog5424_ts + - _temp_ + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/fields/agent.yml b/packages/checkpoint/1.5.0/data_stream/firewall/fields/agent.yml new file mode 100755 index 0000000000..79a7a39864 --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/fields/agent.yml @@ -0,0 +1,180 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/fields/base-fields.yml b/packages/checkpoint/1.5.0/data_stream/firewall/fields/base-fields.yml new file mode 100755 index 0000000000..6bdf832a14 --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: checkpoint +- name: event.dataset + type: constant_keyword + description: Event dataset + value: checkpoint.firewall +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/fields/beats.yml b/packages/checkpoint/1.5.0/data_stream/firewall/fields/beats.yml new file mode 100755 index 0000000000..e272492dea --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/fields/beats.yml @@ -0,0 +1,15 @@ +- description: Type of Filebeat input. + name: input.type + type: keyword +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset + type: long +- description: Name of the service data is collected from. + name: destination.service.name + type: keyword +- description: Source address of logs received over the network. + name: log.source.address + type: keyword diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/1.5.0/data_stream/firewall/fields/ecs.yml new file mode 100755 index 0000000000..506553ea2c --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/fields/ecs.yml @@ -0,0 +1,522 @@ +- description: Unique container id. + name: container.id + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: User email address. + name: destination.user.email + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The date and time when the email message was received by the service or client. + name: email.delivery_timestamp + type: date +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: The email address of BCC recipient + name: email.bcc.address + type: keyword +- description: The email address of CC recipient + name: email.cc.address + type: keyword +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + name: email.message_id + type: wildcard +- description: |- + Unique identifier given to the email by the source that created the event. + Identifier is not persistent across hops. + name: email.local_id + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: MD5 hash. + name: process.parent.hash.md5 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: User email address. + name: source.user.email + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + name: vulnerability.id + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/fields/fields.yml b/packages/checkpoint/1.5.0/data_stream/firewall/fields/fields.yml new file mode 100755 index 0000000000..a389420a0c --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/fields/fields.yml @@ -0,0 +1,1626 @@ +- name: checkpoint + type: group + release: beta + fields: + - name: action_reason + type: integer + description: | + Connection drop reason. + - name: action_reason_msg + type: keyword + overwrite: true + description: | + Connection drop reason message. + - name: additional_info + type: keyword + description: | + ID of original file/mail which are sent by admin. + - name: additional_ip + type: keyword + description: | + DNS host name. + - name: additional_rdata + type: keyword + description: | + List of additional resource records. + - name: alert + type: keyword + description: | + Alert level of matched rule (for connection logs). + - name: allocated_ports + type: integer + description: | + Amount of allocated ports. + - name: analyzed_on + type: keyword + description: | + Check Point ThreatCloud / emulator name. + - name: answer_rdata + type: keyword + description: | + List of answer resource records to the questioned domains. + - name: anti_virus_type + type: keyword + description: | + Anti virus type. + - name: app_desc + type: keyword + description: | + Application description. + - name: app_id + type: integer + description: | + Application ID. + - name: app_package + type: keyword + description: | + Unique identifier of the application on the protected mobile device. + - name: app_properties + type: keyword + description: | + List of all found categories. + - name: app_repackaged + type: keyword + description: | + Indicates whether the original application was repackage not by the official developer. + - name: app_sid_id + type: keyword + description: | + Unique SHA identifier of a mobile application. + - name: app_sig_id + type: keyword + description: | + IOC indicator description. + - name: app_version + type: keyword + description: | + Version of the application downloaded on the protected mobile device. + - name: appi_name + type: keyword + description: | + Name of application downloaded on the protected mobile device. + - name: arrival_time + type: keyword + description: | + Email arrival timestamp. + - name: attachments_num + type: integer + description: | + Number of attachments in the mail. + - name: attack_status + type: keyword + description: | + In case of a malicious event on an endpoint computer, the status of the attack. + - name: audit_status + type: keyword + description: | + Audit Status. Can be Success or Failure. + - name: auth_method + type: keyword + description: | + Password authentication protocol used (PAP or EAP). + - name: authority_rdata + type: keyword + description: | + List of authoritative servers. + - name: authorization + type: keyword + description: | + Authorization HTTP header value. + - name: bcc + type: keyword + description: | + List of BCC addresses. + - name: blade_name + type: keyword + description: | + Blade name. + - name: broker_publisher + type: ip + description: | + IP address of the broker publisher who shared the session information. + - name: browse_time + type: keyword + description: | + Application session browse time. + - name: c_bytes + type: integer + description: | + Boolean value indicates whether bytes sent from the client side are used. + - name: calc_desc + type: keyword + description: | + Log description. + - name: capacity + type: integer + description: | + Capacity of the ports. + - name: capture_uuid + type: keyword + description: | + UUID generated for the capture. Used when enabling the capture when logging. + - name: cc + type: keyword + description: | + The Carbon Copy address of the email. + - name: certificate_resource + type: keyword + description: | + HTTPS resource Possible values: SNI or domain name (DN). + - name: certificate_validation + type: keyword + description: | + Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. + - name: cgnet + type: keyword + description: | + Describes NAT allocation for specific subscriber. + - name: chunk_type + type: keyword + description: | + Chunck of the sctp stream. + - name: client_name + type: keyword + description: | + Client Application or Software Blade that detected the event. + - name: client_type + type: keyword + description: | + Endpoint Connect. + - name: client_type_os + type: keyword + description: | + Client OS detected in the HTTP request. + - name: client_version + type: keyword + description: | + Build version of SandBlast Agent client installed on the computer. + - name: cluster_info + type: keyword + description: | + Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. + - name: comment + type: keyword + - name: community + type: keyword + description: | + Community name for the IPSec key and the use of the IKEv. + - name: confidence_level + type: integer + description: | + Confidence level determined by ThreatCloud. + - name: conn_direction + type: keyword + description: Connection direction + - name: connection_uid + type: keyword + description: | + Calculation of md5 of the IP and user name as UID. + - name: connectivity_level + type: keyword + description: | + Log for a new connection in wire mode. + - name: conns_amount + type: integer + description: | + Connections amount of aggregated log info. + - name: content_disposition + type: keyword + description: | + Indicates how the content is expected to be displayed inline in the browser. + - name: content_length + type: keyword + description: | + Indicates the size of the entity-body of the HTTP header. + - name: content_risk + type: integer + description: | + File risk. + - name: content_type + type: keyword + description: | + Mail content type. Possible values: application/msword, text/html, image/gif etc. + - name: context_num + type: integer + description: | + Serial number of the log for a specific connection. + - name: cookieI + type: keyword + description: | + Initiator cookie. + - name: cookieR + type: keyword + description: | + Responder cookie. + - name: cp_message + type: integer + description: | + Used to log a general message. + - name: cvpn_category + type: keyword + description: | + Mobile Access application type. + - name: cvpn_resource + type: keyword + description: | + Mobile Access application. + - name: data_type_name + type: keyword + description: | + Data type in rulebase that was matched. + - name: db_ver + type: keyword + description: Database version + - name: dce-rpc_interface_uuid + type: keyword + description: | + Log for new RPC state - UUID values + - name: delivery_time + type: keyword + description: | + Timestamp of when email was delivered (MTA finished handling the email. + - name: desc + type: keyword + description: | + Override application description. + - name: description + type: keyword + description: | + Additional explanation how the security gateway enforced the connection. + - name: destination_object + type: keyword + description: | + Matched object name on destination column. + - name: detected_on + type: keyword + description: | + System and applications version the file was emulated on. + - name: developer_certificate_name + type: keyword + description: | + Name of the developer's certificate that was used to sign the mobile application. + - name: diameter_app_ID + type: integer + description: | + The ID of diameter application. + - name: diameter_cmd_code + type: integer + description: | + Diameter not allowed application command id. + - name: diameter_msg_type + type: keyword + description: | + Diameter message type. + - name: dlp_action_reason + type: keyword + description: | + Action chosen reason. + - name: dlp_additional_action + type: keyword + description: | + Watermark/None. + - name: dlp_categories + type: keyword + description: | + Data type category. + - name: dlp_data_type_name + type: keyword + description: | + Matched data type. + - name: dlp_data_type_uid + type: keyword + description: | + Unique ID of the matched data type. + - name: dlp_fingerprint_files_number + type: integer + description: | + Number of successfully scanned files in repository. + - name: dlp_fingerprint_long_status + type: keyword + description: | + Scan status - long format. + - name: dlp_fingerprint_short_status + type: keyword + description: | + Scan status - short format. + - name: dlp_incident_uid + type: keyword + description: | + Unique ID of the matched rule. + - name: dlp_recipients + type: keyword + description: | + Mail recipients. + - name: dlp_related_incident_uid + type: keyword + description: | + Other ID related to this one. + - name: dlp_relevant_data_types + type: keyword + description: | + In case of Compound/Group: the inner data types that were matched. + - name: dlp_repository_directories_number + type: integer + description: | + Number of directories in repository. + - name: dlp_repository_files_number + type: integer + description: | + Number of files in repository. + - name: dlp_repository_id + type: keyword + description: | + ID of scanned repository. + - name: dlp_repository_not_scanned_directories_percentage + type: integer + description: | + Percentage of directories the Security Gateway was unable to read. + - name: dlp_repository_reached_directories_number + type: integer + description: | + Number of scanned directories in repository. + - name: dlp_repository_root_path + type: keyword + description: | + Repository path. + - name: dlp_repository_scan_progress + type: integer + description: | + Scan percentage. + - name: dlp_repository_scanned_directories_number + type: integer + description: | + Amount of directories scanned. + - name: dlp_repository_scanned_files_number + type: integer + description: | + Number of scanned files in repository. + - name: dlp_repository_scanned_total_size + type: integer + description: | + Size scanned. + - name: dlp_repository_skipped_files_number + type: integer + description: | + Skipped number of files because of configuration. + - name: dlp_repository_total_size + type: integer + description: | + Repository size. + - name: dlp_repository_unreachable_directories_number + type: integer + description: | + Number of directories the Security Gateway was unable to read. + - name: dlp_rule_name + type: keyword + description: | + Matched rule name. + - name: dlp_subject + type: keyword + description: | + Mail subject. + - name: dlp_template_score + type: keyword + description: | + Template data type match score. + - name: dlp_transint + type: keyword + description: | + HTTP/SMTP/FTP. + - name: dlp_violation_description + type: keyword + description: | + Violation descriptions described in the rulebase. + - name: dlp_watermark_profile + type: keyword + description: | + Watermark which was applied. + - name: dlp_word_list + type: keyword + description: | + Phrases matched by data type. + - name: dns_query + type: keyword + description: | + DNS query. + - name: drop_reason + type: keyword + description: | + Drop reason description. + - name: dropped_file_hash + type: keyword + description: | + List of file hashes dropped from the original file. + - name: dropped_file_name + type: keyword + description: | + List of names dropped from the original file. + - name: dropped_file_type + type: keyword + description: | + List of file types dropped from the original file. + - name: dropped_file_verdict + type: keyword + description: | + List of file verdics dropped from the original file. + - name: dropped_incoming + type: integer + description: | + Number of incoming bytes dropped when using UP-limit feature. + - name: dropped_outgoing + type: integer + description: | + Number of outgoing bytes dropped when using UP-limit feature. + - name: dropped_total + type: integer + description: | + Amount of dropped packets (both incoming and outgoing). + - name: drops_amount + type: integer + description: | + Amount of multicast packets dropped. + - name: dst_country + type: keyword + description: | + Destination country. + - name: dst_phone_number + type: keyword + description: | + Destination IP-Phone. + - name: dst_user_name + type: keyword + description: | + Connected user name on the destination IP. + - name: dstkeyid + type: keyword + description: | + Responder Spi ID. + - name: duplicate + type: keyword + description: | + Log marked as duplicated, when mail is split and the Security Gateway sees it twice. + - name: duration + type: keyword + description: "Scan duration. \n" + - name: elapsed + type: keyword + description: | + Time passed since start time. + - name: email_content + type: keyword + description: | + Mail contents. Possible options: attachments/links & attachments/links/text only. + - name: email_control + type: keyword + description: | + Engine name. + - name: email_control_analysis + type: keyword + description: | + Message classification, received from spam vendor engine. + - name: email_headers + type: keyword + description: | + String containing all the email headers. + - name: email_id + type: keyword + description: | + Email number in smtp connection. + - name: email_message_id + type: keyword + description: | + Email session id (uniqe ID of the mail). + - name: email_queue_id + type: keyword + description: | + Postfix email queue id. + - name: email_queue_name + type: keyword + description: | + Postfix email queue name. + - name: email_recipients_num + type: long + description: | + Amount of recipients whom the mail was sent to. + - name: email_session_id + type: keyword + description: | + Connection uuid. + - name: email_spam_category + type: keyword + description: | + Email categories. Possible values: spam/not spam/phishing. + - name: email_status + type: keyword + description: | + Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended + - name: email_subject + type: keyword + description: | + Original email subject. + - name: emulated_on + type: keyword + description: | + Images the files were emulated on. + - name: encryption_failure + type: keyword + description: | + Message indicating why the encryption failed. + - name: end_time + type: keyword + description: | + TCP connection end time. + - name: end_user_firewall_type + type: keyword + description: | + End user firewall type. + - name: esod_access_status + type: keyword + description: | + Access denied. + - name: esod_associated_policies + type: keyword + description: | + Associated policies. + - name: esod_noncompliance_reason + type: keyword + description: | + Non-compliance reason. + - name: esod_rule_action + type: keyword + description: | + Unknown rule action. + - name: esod_rule_name + type: keyword + description: | + Unknown rule name. + - name: esod_rule_type + type: keyword + description: | + Unknown rule type. + - name: esod_scan_status + type: keyword + description: | + Scan failed. + - name: event_count + type: long + description: | + Number of events associated with the log. + - name: expire_time + type: keyword + description: | + Connection closing time. + - name: extension_version + type: keyword + description: | + Build version of the SandBlast Agent browser extension. + - name: extracted_file_hash + type: keyword + description: | + Archive hash in case of extracted files. + - name: extracted_file_names + type: keyword + description: | + Names of extracted files in case of an archive. + - name: extracted_file_type + type: keyword + description: | + Types of extracted files in case of an archive. + - name: extracted_file_uid + type: keyword + description: | + UID of extracted files in case of an archive. + - name: extracted_file_verdict + type: keyword + description: | + Verdict of extracted files in case of an archive. + - name: failure_impact + type: keyword + description: | + The impact of update service failure. + - name: failure_reason + type: keyword + description: | + MTA failure description. + - name: file_direction + type: keyword + description: | + File direction. Possible options: upload/download. + - name: file_name + type: keyword + description: | + Malicious file name. + - name: files_names + type: keyword + description: | + List of files requested by FTP. + - name: first_hit_time + type: integer + description: | + First hit time in current interval. + - name: fs-proto + type: keyword + description: | + The file share protocol used in mobile acess file share application. + - name: ftp_user + type: keyword + description: | + FTP username. + - name: fw_message + type: keyword + description: | + Used for various firewall errors. + - name: fw_subproduct + type: keyword + description: | + Can be vpn/non vpn. + - name: hide_ip + type: ip + description: | + Source IP which will be used after CGNAT. + - name: hit + type: integer + description: | + Number of hits on a rule. + - name: host_time + type: keyword + description: | + Local time on the endpoint computer. + - name: http_host + type: keyword + description: | + Domain name of the server that the HTTP request is sent to. + - name: http_location + type: keyword + description: | + Response header, indicates the URL to redirect a page to. + - name: http_server + type: keyword + description: | + Server HTTP header value, contains information about the software used by the origin server, which handles the request. + - name: https_inspection_action + type: keyword + description: | + HTTPS inspection action (Inspect/Bypass/Error). + - name: https_inspection_rule_id + type: keyword + description: | + ID of the matched rule. + - name: https_inspection_rule_name + type: keyword + description: | + Name of the matched rule. + - name: https_validation + type: keyword + description: | + Precise error, describing HTTPS inspection failure. + - name: icap_more_info + type: integer + description: | + Free text for verdict. + - name: icap_server_name + type: keyword + description: | + Server name. + - name: icap_server_service + type: keyword + description: | + Service name, as given in the ICAP URI + - name: icap_service_id + type: integer + description: | + Service ID, can work with multiple servers, treated as services. + - name: icmp + type: keyword + description: | + Number of packets, received by the client. + - name: icmp_code + type: long + description: | + In case a connection is ICMP, code info will be added to the log. + - name: icmp_type + type: long + description: | + In case a connection is ICMP, type info will be added to the log. + - name: id + type: integer + description: | + Override application ID. + - name: ike + type: keyword + description: | + IKEMode (PHASE1, PHASE2, etc..). + - name: ike_ids + type: keyword + description: | + All QM ids. + - name: impacted_files + type: keyword + description: | + In case of an infection on an endpoint computer, the list of files that the malware impacted. + - name: incident_extension + type: keyword + description: | + Matched data type. + - name: indicator_description + type: keyword + description: | + IOC indicator description. + - name: indicator_name + type: keyword + description: | + IOC indicator name. + - name: indicator_reference + type: keyword + description: | + IOC indicator reference. + - name: indicator_uuid + type: keyword + description: | + IOC indicator uuid. + - name: info + type: keyword + description: | + Special log message. + - name: information + type: keyword + description: | + Policy installation status for a specific blade. + - name: inspection_category + type: keyword + description: | + Inspection category: protocol anomaly, signature etc. + - name: inspection_item + type: keyword + description: | + Blade element performed inspection. + - name: inspection_profile + type: keyword + description: | + Profile which the activated protection belongs to. + - name: inspection_settings_log + type: keyword + description: | + Indicats that the log was released by inspection settings. + - name: installed_products + type: keyword + description: | + List of installed Endpoint Software Blades. + - name: int_end + type: integer + description: | + Subscriber end int which will be used for NAT. + - name: int_start + type: integer + description: | + Subscriber start int which will be used for NAT. + - name: interface_name + type: keyword + description: | + Designated interface for mirror And decrypt. + - name: internal_error + type: keyword + description: | + Internal error, for troubleshooting + - name: invalid_file_size + type: integer + description: | + File_size field is valid only if this field is set to 0. + - name: ip_option + type: integer + description: | + IP option that was dropped. + - name: isp_link + type: keyword + description: | + Name of ISP link. + - name: last_hit_time + type: integer + description: | + Last hit time in current interval. + - name: last_rematch_time + type: keyword + description: | + Connection rematched time. + - name: layer_name + type: keyword + description: | + Layer name. + - name: layer_uuid + type: keyword + description: | + Layer UUID. + - name: limit_applied + type: integer + description: | + Indicates whether the session was actually date limited. + - name: limit_requested + type: integer + description: | + Indicates whether data limit was requested for the session. + - name: link_probing_status_update + type: keyword + description: | + IP address response status. + - name: links_num + type: integer + description: | + Number of links in the mail. + - name: log_delay + type: integer + description: | + Time left before deleting template. + - name: log_id + type: integer + description: | + Unique identity for logs. + - name: logid + type: keyword + description: | + System messages + - name: long_desc + type: keyword + description: | + More information on the process (usually describing error reason in failure). + - name: machine + type: keyword + description: | + L2TP machine which triggered the log and the log refers to it. + - name: malware_family + type: keyword + description: | + Additional information on protection. + - name: match_fk + type: integer + description: | + Rule number. + - name: match_id + type: integer + description: | + Private key of the rule + - name: matched_file + type: keyword + description: | + Unique ID of the matched data type. + - name: matched_file_percentage + type: integer + description: | + Fingerprint: match percentage of the traffic. + - name: matched_file_text_segments + type: integer + description: | + Fingerprint: number of text segments matched by this traffic. + - name: media_type + type: keyword + description: | + Media used (audio, video, etc.) + - name: message + type: keyword + description: | + ISP link has failed. + - name: message_info + type: keyword + description: | + Used for information messages, for example:NAT connection has ended. + - name: message_size + type: integer + description: | + Mail/post size. + - name: method + type: keyword + description: | + HTTP method. + - name: methods + type: keyword + description: | + IPSEc methods. + - name: mime_from + type: keyword + description: | + Sender's address. + - name: mime_to + type: keyword + description: | + List of receiver address. + - name: mirror_and_decrypt_type + type: keyword + description: | + Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). + - name: mitre_collection + type: keyword + description: | + The adversary is trying to collect data of interest to achieve his goal. + - name: mitre_command_and_control + type: keyword + description: | + The adversary is trying to communicate with compromised systems in order to control them. + - name: mitre_credential_access + type: keyword + description: | + The adversary is trying to steal account names and passwords. + - name: mitre_defense_evasion + type: keyword + description: | + The adversary is trying to avoid being detected. + - name: mitre_discovery + type: keyword + description: | + The adversary is trying to expose information about your environment. + - name: mitre_execution + type: keyword + description: | + The adversary is trying to run malicious code. + - name: mitre_exfiltration + type: keyword + description: | + The adversary is trying to steal data. + - name: mitre_impact + type: keyword + description: | + The adversary is trying to manipulate, interrupt, or destroy your systems and data. + - name: mitre_initial_access + type: keyword + description: | + The adversary is trying to break into your network. + - name: mitre_lateral_movement + type: keyword + description: | + The adversary is trying to explore your environment. + - name: mitre_persistence + type: keyword + description: | + The adversary is trying to maintain his foothold. + - name: mitre_privilege_escalation + type: keyword + description: | + The adversary is trying to gain higher-level permissions. + - name: monitor_reason + type: keyword + description: | + Aggregated logs of monitored packets. + - name: msgid + type: keyword + description: | + Message ID. + - name: name + type: keyword + description: | + Application name. + - name: nat46 + type: keyword + description: | + NAT 46 status, in most cases "enabled". + - name: nat_addtnl_rulenum + type: integer + description: | + When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. + - name: nat_exhausted_pool + type: keyword + description: | + 4-tuple of an exhausted pool. + - name: nat_rulenum + type: integer + description: | + NAT rulebase first matched rule. + - name: needs_browse_time + type: integer + description: | + Browse time required for the connection. + - name: next_hop_ip + type: keyword + description: | + Next hop IP address. + - name: next_scheduled_scan_date + type: keyword + description: | + Next scan scheduled time according to time object. + - name: number_of_errors + type: integer + description: | + Number of files that were not scanned due to an error. + - name: objecttable + type: keyword + description: | + Table of affected objects. + - name: objecttype + type: keyword + description: | + The type of the affected object. + - name: observable_comment + type: keyword + description: | + IOC observable signature description. + - name: observable_id + type: keyword + description: | + IOC observable signature id. + - name: observable_name + type: keyword + description: | + IOC observable signature name. + - name: operation + type: keyword + description: | + Operation made by Threat Extraction. + - name: operation_number + type: keyword + description: | + The operation nuber. + - name: origin_sic_name + type: keyword + description: | + Machine SIC. + - name: original_queue_id + type: keyword + description: | + Original postfix email queue id. + - name: outgoing_url + type: keyword + description: | + URL related to this log (for HTTP). + - name: packet_amount + type: integer + description: | + Amount of packets dropped. + - name: packet_capture_unique_id + type: keyword + description: | + Identifier of the packet capture files. + - name: parent_file_hash + type: keyword + description: | + Archive's hash in case of extracted files. + - name: parent_file_name + type: keyword + description: | + Archive's name in case of extracted files. + - name: parent_file_uid + type: keyword + description: | + Archive's UID in case of extracted files. + - name: parent_process_username + type: keyword + description: | + Owner username of the parent process of the process that triggered the attack. + - name: parent_rule + type: integer + description: | + Parent rule number, in case of inline layer. + - name: peer_gateway + type: ip + description: | + Main IP of the peer Security Gateway. + - name: peer_ip + type: keyword + description: | + IP address which the client connects to. + - name: peer_ip_probing_status_update + type: keyword + description: | + IP address response status. + - name: performance_impact + type: integer + description: | + Protection performance impact. + - name: policy_mgmt + type: keyword + description: | + Name of the Management Server that manages this Security Gateway. + - name: policy_name + type: keyword + description: | + Name of the last policy that this Security Gateway fetched. + - name: ports_usage + type: integer + description: | + Percentage of allocated ports. + - name: ppp + type: keyword + description: | + Authentication status. + - name: precise_error + type: keyword + description: | + HTTP parser error. + - name: process_username + type: keyword + description: | + Owner username of the process that triggered the attack. + - name: properties + type: keyword + description: | + Application categories. + - name: protection_id + type: keyword + description: | + Protection malware id. + - name: protection_name + type: keyword + description: | + Specific signature name of the attack. + - name: protection_type + type: keyword + description: | + Type of protection used to detect the attack. + - name: protocol + type: keyword + description: | + Protocol detected on the connection. + - name: proxy_machine_name + type: integer + description: | + Machine name connected to proxy IP. + - name: proxy_src_ip + type: ip + description: | + Sender source IP (even when using proxy). + - name: proxy_user_dn + type: keyword + description: | + User distinguished name connected to proxy IP. + - name: proxy_user_name + type: keyword + description: | + User name connected to proxy IP. + - name: query + type: keyword + description: | + DNS query. + - name: question_rdata + type: keyword + description: | + List of question records domains. + - name: referrer + type: keyword + description: | + Referrer HTTP request header, previous web page address. + - name: referrer_parent_uid + type: keyword + description: | + Log UUID of the referring application. + - name: referrer_self_uid + type: keyword + description: | + UUID of the current log. + - name: registered_ip-phones + type: keyword + description: | + Registered IP-Phones. + - name: reject_category + type: keyword + description: | + Authentication failure reason. + - name: reject_id + type: keyword + description: | + A reject ID that corresponds to the one presented in the Mobile Access error page. + - name: rematch_info + type: keyword + description: | + Information sent when old connections cannot be matched during policy installation. + - name: remediated_files + type: keyword + description: | + In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. + - name: reply_status + type: integer + description: | + ICAP reply status code, e.g. 200 or 204. + - name: risk + type: keyword + description: | + Risk level we got from the engine. + - name: rpc_prog + type: integer + description: | + Log for new RPC state - prog values. + - name: rule + type: integer + description: | + Matched rule number. + - name: rule_action + type: keyword + description: | + Action of the matched rule in the access policy. + - name: rulebase_id + type: integer + description: | + Layer number. + - name: scan_direction + type: keyword + description: | + Scan direction. + - name: scan_hosts_day + type: integer + description: | + Number of unique hosts during the last day. + - name: scan_hosts_hour + type: integer + description: | + Number of unique hosts during the last hour. + - name: scan_hosts_week + type: integer + description: | + Number of unique hosts during the last week. + - name: scan_id + type: keyword + description: | + Sequential number of scan. + - name: scan_mail + type: integer + description: | + Number of emails that were scanned by "AB malicious activity" engine. + - name: scan_results + type: keyword + description: | + "Infected"/description of a failure. + - name: scheme + type: keyword + description: | + Describes the scheme used for the log. + - name: scope + type: keyword + description: | + IP related to the attack. + - name: scrub_activity + type: keyword + description: | + The result of the extraction + - name: scrub_download_time + type: keyword + description: | + File download time from resource. + - name: scrub_time + type: keyword + description: | + Extraction process duration. + - name: scrub_total_time + type: keyword + description: | + Threat extraction total file handling time. + - name: scrubbed_content + type: keyword + description: | + Active content that was found. + - name: sctp_association_state + type: keyword + description: | + The bad state you were trying to update to. + - name: sctp_error + type: keyword + description: | + Error information, what caused sctp to fail on out_of_state. + - name: scv_message_info + type: keyword + description: | + Drop reason. + - name: scv_user + type: keyword + description: | + Username whose packets are dropped on SCV. + - name: securexl_message + type: keyword + description: | + Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. + - name: session_id + type: keyword + description: | + Log uuid. + - name: session_uid + type: keyword + description: | + HTTP session-id. + - name: short_desc + type: keyword + description: | + Short description of the process that was executed. + - name: sig_id + type: keyword + description: | + Application's signature ID which how it was detected by. + - name: similar_communication + type: keyword + description: | + Network action found similar to the malicious file. + - name: similar_hashes + type: keyword + description: | + Hashes found similar to the malicious file. + - name: similar_strings + type: keyword + description: | + Strings found similar to the malicious file. + - name: similiar_iocs + type: keyword + description: | + Other IoCs similar to the ones found, related to the malicious file. + - name: sip_reason + type: keyword + description: | + Explains why 'source_ip' isn't allowed to redirect (handover). + - name: site_name + type: keyword + description: | + Site name. + - name: source_interface + type: keyword + description: | + External Interface name for source interface or Null if not found. + - name: source_object + type: keyword + description: | + Matched object name on source column. + - name: source_os + type: keyword + description: | + OS which generated the attack. + - name: special_properties + type: integer + description: | + If this field is set to '1' the log will not be shown (in use for monitoring scan progress). + - name: specific_data_type_name + type: keyword + description: | + Compound/Group scenario, data type that was matched. + - name: speed + type: integer + description: | + Current scan speed. + - name: spyware_name + type: keyword + description: | + Spyware name. + - name: spyware_type + type: keyword + description: | + Spyware type. + - name: src_country + type: keyword + description: | + Country name, derived from connection source IP address. + - name: src_phone_number + type: keyword + description: | + Source IP-Phone. + - name: src_user_dn + type: keyword + description: | + User distinguished name connected to source IP. + - name: src_user_name + type: keyword + description: | + User name connected to source IP + - name: srckeyid + type: keyword + description: | + Initiator Spi ID. + - name: status + type: keyword + description: | + Ok/Warning/Error. + - name: status_update + type: keyword + description: | + Last time log was updated. + - name: sub_policy_name + type: keyword + description: | + Layer name. + - name: sub_policy_uid + type: keyword + description: | + Layer uid. + - name: subscriber + type: ip + description: | + Source IP before CGNAT. + - name: summary + type: keyword + description: | + Summary message of a non-compliant DNS traffic drops or detects. + - name: suppressed_logs + type: integer + description: | + Aggregated connections for five minutes on the same source, destination and port. + - name: sync + type: keyword + description: | + Sync status and the reason (stable, at risk). + - name: sys_message + type: keyword + description: | + System messages + - name: tcp_end_reason + type: keyword + description: | + Reason for TCP connection closure. + - name: tcp_flags + type: keyword + description: | + TCP packet flags (SYN, ACK, etc.,). + - name: tcp_packet_out_of_state + type: keyword + description: | + State violation. + - name: tcp_state + type: keyword + description: | + Log reinting a tcp state change. + - name: te_verdict_determined_by + type: keyword + description: | + Emulators determined file verdict. + - name: ticket_id + type: keyword + description: | + Unique ID per file. + - name: tls_server_host_name + type: keyword + description: | + SNI/CN from encrypted TLS connection used by URLF for categorization. + - name: top_archive_file_name + type: keyword + description: | + In case of archive file: the file that was sent/received. + - name: total_attachments + type: integer + description: | + The number of attachments in an email. + - name: triggered_by + type: keyword + description: | + The name of the mechanism that triggered the Software Blade to enforce a protection. + - name: trusted_domain + type: keyword + description: In case of phishing event, the domain, which the attacker was impersonating. + - name: unique_detected_day + type: integer + description: | + Detected virus for a specific host during the last day. + - name: unique_detected_hour + type: integer + description: | + Detected virus for a specific host during the last hour. + - name: unique_detected_week + type: integer + description: | + Detected virus for a specific host during the last week. + - name: update_status + type: keyword + description: Status of database update + - name: url + type: keyword + description: | + Translated URL. + - name: user + type: keyword + description: | + Source user name. + - name: user_agent + type: keyword + description: | + String identifying requesting software user agent. + - name: vendor_list + type: keyword + description: | + The vendor name that provided the verdict for a malicious URL. + - name: verdict + type: keyword + description: | + TE engine verdict Possible values: Malicious/Benign/Error. + - name: via + type: keyword + description: | + Via header is added by proxies for tracking purposes to avoid sending reqests in loop. + - name: voip_attach_action_info + type: keyword + description: | + Attachment action Info. + - name: voip_attach_sz + type: integer + description: | + Attachment size. + - name: voip_call_dir + type: keyword + description: | + Call direction: in/out. + - name: voip_call_id + type: keyword + description: | + Call-ID. + - name: voip_call_state + type: keyword + description: | + Call state. Possible values: in/out. + - name: voip_call_term_time + type: keyword + description: | + Call termination time stamp. + - name: voip_config + type: keyword + description: | + Configuration. + - name: voip_duration + type: keyword + description: | + Call duration (seconds). + - name: voip_est_codec + type: keyword + description: | + Estimated codec. + - name: voip_exp + type: integer + description: | + Expiration. + - name: voip_from_user_type + type: keyword + description: | + Source IP-Phone type. + - name: voip_log_type + type: keyword + description: | + VoIP log types. Possible values: reject, call, registration. + - name: voip_media_codec + type: keyword + description: | + Estimated codec. + - name: voip_media_ipp + type: keyword + description: | + Media IP protocol. + - name: voip_media_port + type: keyword + description: | + Media int. + - name: voip_method + type: keyword + description: | + Registration request. + - name: voip_reason_info + type: keyword + description: | + Information. + - name: voip_reg_int + type: integer + description: | + Registration port. + - name: voip_reg_ipp + type: integer + description: | + Registration IP protocol. + - name: voip_reg_period + type: integer + description: | + Registration period. + - name: voip_reg_server + type: ip + description: | + Registrar server IP address. + - name: voip_reg_user_type + type: keyword + description: | + Registered IP-Phone type. + - name: voip_reject_reason + type: keyword + description: | + Reject reason. + - name: voip_to_user_type + type: keyword + description: | + Destination IP-Phone type. + - name: vpn_feature_name + type: keyword + description: | + L2TP /IKE / Link Selection. + - name: watermark + type: keyword + description: | + Reports whether watermark is added to the cleaned file. + - name: web_server_type + type: keyword + description: | + Web server detected in the HTTP response. + - name: word_list + type: keyword + description: | + Words matched by data type. diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/manifest.yml b/packages/checkpoint/1.5.0/data_stream/firewall/manifest.yml new file mode 100755 index 0000000000..f3ae072599 --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/manifest.yml @@ -0,0 +1,133 @@ +type: logs +title: Check Point firewall logs +streams: + - input: udp + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: Check Point firewall logs (syslog over UDP) + description: Collect Check Point firewall logs using udp input + - input: tcp + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + template_path: tcp.yml.hbs + title: Check Point firewall logs (syslog over TCP) + description: Collect Check Point firewall logs using tcp input + - input: logfile + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Check Point firewall logs (log) + description: Collect Check Point firewall logs using log input diff --git a/packages/checkpoint/1.5.0/data_stream/firewall/sample_event.json b/packages/checkpoint/1.5.0/data_stream/firewall/sample_event.json new file mode 100755 index 0000000000..a375c48028 --- /dev/null +++ b/packages/checkpoint/1.5.0/data_stream/firewall/sample_event.json @@ -0,0 +1,64 @@ +{ + "@timestamp": "2020-03-29T13:19:20.000Z", + "agent": { + "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5", + "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "checkpoint": { + "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk" + }, + "data_stream": { + "dataset": "checkpoint.firewall", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2021-12-25T09:18:51.178Z", + "dataset": "checkpoint.firewall", + "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", + "ingested": "2021-12-25T09:18:52Z", + "kind": "event", + "sequence": 1, + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.32.7:52492" + } + }, + "network": { + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "daemon" + } + }, + "name": "192.168.1.100", + "product": "System Monitor", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/checkpoint/1.5.0/docs/README.md b/packages/checkpoint/1.5.0/docs/README.md new file mode 100755 index 0000000000..fc59623876 --- /dev/null +++ b/packages/checkpoint/1.5.0/docs/README.md @@ -0,0 +1,671 @@ +# Check Point Integration + +This integration is for [Check Point](https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.8%20) products. It includes the +following datasets for receiving logs: + +- `firewall` dataset: consists of log entries from the [Log Exporter]( + https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323) + in the Syslog format. + +## Compatibility + +This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30. + +## Logs + +### Firewall + +Consists of log entries from the Log Exporter in the Syslog format. + +An example event for `firewall` looks as following: + +```json +{ + "@timestamp": "2020-03-29T13:19:20.000Z", + "agent": { + "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5", + "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "checkpoint": { + "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk" + }, + "data_stream": { + "dataset": "checkpoint.firewall", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2021-12-25T09:18:51.178Z", + "dataset": "checkpoint.firewall", + "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", + "ingested": "2021-12-25T09:18:52Z", + "kind": "event", + "sequence": 1, + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.32.7:52492" + } + }, + "network": { + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "daemon" + } + }, + "name": "192.168.1.100", + "product": "System Monitor", + "type": "firewall", + "vendor": "Checkpoint" + }, + "tags": [ + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| checkpoint.action_reason | Connection drop reason. | integer | +| checkpoint.action_reason_msg | Connection drop reason message. | keyword | +| checkpoint.additional_info | ID of original file/mail which are sent by admin. | keyword | +| checkpoint.additional_ip | DNS host name. | keyword | +| checkpoint.additional_rdata | List of additional resource records. | keyword | +| checkpoint.alert | Alert level of matched rule (for connection logs). | keyword | +| checkpoint.allocated_ports | Amount of allocated ports. | integer | +| checkpoint.analyzed_on | Check Point ThreatCloud / emulator name. | keyword | +| checkpoint.answer_rdata | List of answer resource records to the questioned domains. | keyword | +| checkpoint.anti_virus_type | Anti virus type. | keyword | +| checkpoint.app_desc | Application description. | keyword | +| checkpoint.app_id | Application ID. | integer | +| checkpoint.app_package | Unique identifier of the application on the protected mobile device. | keyword | +| checkpoint.app_properties | List of all found categories. | keyword | +| checkpoint.app_repackaged | Indicates whether the original application was repackage not by the official developer. | keyword | +| checkpoint.app_sid_id | Unique SHA identifier of a mobile application. | keyword | +| checkpoint.app_sig_id | IOC indicator description. | keyword | +| checkpoint.app_version | Version of the application downloaded on the protected mobile device. | keyword | +| checkpoint.appi_name | Name of application downloaded on the protected mobile device. | keyword | +| checkpoint.arrival_time | Email arrival timestamp. | keyword | +| checkpoint.attachments_num | Number of attachments in the mail. | integer | +| checkpoint.attack_status | In case of a malicious event on an endpoint computer, the status of the attack. | keyword | +| checkpoint.audit_status | Audit Status. Can be Success or Failure. | keyword | +| checkpoint.auth_method | Password authentication protocol used (PAP or EAP). | keyword | +| checkpoint.authority_rdata | List of authoritative servers. | keyword | +| checkpoint.authorization | Authorization HTTP header value. | keyword | +| checkpoint.bcc | List of BCC addresses. | keyword | +| checkpoint.blade_name | Blade name. | keyword | +| checkpoint.broker_publisher | IP address of the broker publisher who shared the session information. | ip | +| checkpoint.browse_time | Application session browse time. | keyword | +| checkpoint.c_bytes | Boolean value indicates whether bytes sent from the client side are used. | integer | +| checkpoint.calc_desc | Log description. | keyword | +| checkpoint.capacity | Capacity of the ports. | integer | +| checkpoint.capture_uuid | UUID generated for the capture. Used when enabling the capture when logging. | keyword | +| checkpoint.cc | The Carbon Copy address of the email. | keyword | +| checkpoint.certificate_resource | HTTPS resource Possible values: SNI or domain name (DN). | keyword | +| checkpoint.certificate_validation | Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. | keyword | +| checkpoint.cgnet | Describes NAT allocation for specific subscriber. | keyword | +| checkpoint.chunk_type | Chunck of the sctp stream. | keyword | +| checkpoint.client_name | Client Application or Software Blade that detected the event. | keyword | +| checkpoint.client_type | Endpoint Connect. | keyword | +| checkpoint.client_type_os | Client OS detected in the HTTP request. | keyword | +| checkpoint.client_version | Build version of SandBlast Agent client installed on the computer. | keyword | +| checkpoint.cluster_info | Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. | keyword | +| checkpoint.comment | | keyword | +| checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword | +| checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer | +| checkpoint.conn_direction | Connection direction | keyword | +| checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword | +| checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword | +| checkpoint.conns_amount | Connections amount of aggregated log info. | integer | +| checkpoint.content_disposition | Indicates how the content is expected to be displayed inline in the browser. | keyword | +| checkpoint.content_length | Indicates the size of the entity-body of the HTTP header. | keyword | +| checkpoint.content_risk | File risk. | integer | +| checkpoint.content_type | Mail content type. Possible values: application/msword, text/html, image/gif etc. | keyword | +| checkpoint.context_num | Serial number of the log for a specific connection. | integer | +| checkpoint.cookieI | Initiator cookie. | keyword | +| checkpoint.cookieR | Responder cookie. | keyword | +| checkpoint.cp_message | Used to log a general message. | integer | +| checkpoint.cvpn_category | Mobile Access application type. | keyword | +| checkpoint.cvpn_resource | Mobile Access application. | keyword | +| checkpoint.data_type_name | Data type in rulebase that was matched. | keyword | +| checkpoint.db_ver | Database version | keyword | +| checkpoint.dce-rpc_interface_uuid | Log for new RPC state - UUID values | keyword | +| checkpoint.delivery_time | Timestamp of when email was delivered (MTA finished handling the email. | keyword | +| checkpoint.desc | Override application description. | keyword | +| checkpoint.description | Additional explanation how the security gateway enforced the connection. | keyword | +| checkpoint.destination_object | Matched object name on destination column. | keyword | +| checkpoint.detected_on | System and applications version the file was emulated on. | keyword | +| checkpoint.developer_certificate_name | Name of the developer's certificate that was used to sign the mobile application. | keyword | +| checkpoint.diameter_app_ID | The ID of diameter application. | integer | +| checkpoint.diameter_cmd_code | Diameter not allowed application command id. | integer | +| checkpoint.diameter_msg_type | Diameter message type. | keyword | +| checkpoint.dlp_action_reason | Action chosen reason. | keyword | +| checkpoint.dlp_additional_action | Watermark/None. | keyword | +| checkpoint.dlp_categories | Data type category. | keyword | +| checkpoint.dlp_data_type_name | Matched data type. | keyword | +| checkpoint.dlp_data_type_uid | Unique ID of the matched data type. | keyword | +| checkpoint.dlp_fingerprint_files_number | Number of successfully scanned files in repository. | integer | +| checkpoint.dlp_fingerprint_long_status | Scan status - long format. | keyword | +| checkpoint.dlp_fingerprint_short_status | Scan status - short format. | keyword | +| checkpoint.dlp_incident_uid | Unique ID of the matched rule. | keyword | +| checkpoint.dlp_recipients | Mail recipients. | keyword | +| checkpoint.dlp_related_incident_uid | Other ID related to this one. | keyword | +| checkpoint.dlp_relevant_data_types | In case of Compound/Group: the inner data types that were matched. | keyword | +| checkpoint.dlp_repository_directories_number | Number of directories in repository. | integer | +| checkpoint.dlp_repository_files_number | Number of files in repository. | integer | +| checkpoint.dlp_repository_id | ID of scanned repository. | keyword | +| checkpoint.dlp_repository_not_scanned_directories_percentage | Percentage of directories the Security Gateway was unable to read. | integer | +| checkpoint.dlp_repository_reached_directories_number | Number of scanned directories in repository. | integer | +| checkpoint.dlp_repository_root_path | Repository path. | keyword | +| checkpoint.dlp_repository_scan_progress | Scan percentage. | integer | +| checkpoint.dlp_repository_scanned_directories_number | Amount of directories scanned. | integer | +| checkpoint.dlp_repository_scanned_files_number | Number of scanned files in repository. | integer | +| checkpoint.dlp_repository_scanned_total_size | Size scanned. | integer | +| checkpoint.dlp_repository_skipped_files_number | Skipped number of files because of configuration. | integer | +| checkpoint.dlp_repository_total_size | Repository size. | integer | +| checkpoint.dlp_repository_unreachable_directories_number | Number of directories the Security Gateway was unable to read. | integer | +| checkpoint.dlp_rule_name | Matched rule name. | keyword | +| checkpoint.dlp_subject | Mail subject. | keyword | +| checkpoint.dlp_template_score | Template data type match score. | keyword | +| checkpoint.dlp_transint | HTTP/SMTP/FTP. | keyword | +| checkpoint.dlp_violation_description | Violation descriptions described in the rulebase. | keyword | +| checkpoint.dlp_watermark_profile | Watermark which was applied. | keyword | +| checkpoint.dlp_word_list | Phrases matched by data type. | keyword | +| checkpoint.dns_query | DNS query. | keyword | +| checkpoint.drop_reason | Drop reason description. | keyword | +| checkpoint.dropped_file_hash | List of file hashes dropped from the original file. | keyword | +| checkpoint.dropped_file_name | List of names dropped from the original file. | keyword | +| checkpoint.dropped_file_type | List of file types dropped from the original file. | keyword | +| checkpoint.dropped_file_verdict | List of file verdics dropped from the original file. | keyword | +| checkpoint.dropped_incoming | Number of incoming bytes dropped when using UP-limit feature. | integer | +| checkpoint.dropped_outgoing | Number of outgoing bytes dropped when using UP-limit feature. | integer | +| checkpoint.dropped_total | Amount of dropped packets (both incoming and outgoing). | integer | +| checkpoint.drops_amount | Amount of multicast packets dropped. | integer | +| checkpoint.dst_country | Destination country. | keyword | +| checkpoint.dst_phone_number | Destination IP-Phone. | keyword | +| checkpoint.dst_user_name | Connected user name on the destination IP. | keyword | +| checkpoint.dstkeyid | Responder Spi ID. | keyword | +| checkpoint.duplicate | Log marked as duplicated, when mail is split and the Security Gateway sees it twice. | keyword | +| checkpoint.duration | Scan duration. | keyword | +| checkpoint.elapsed | Time passed since start time. | keyword | +| checkpoint.email_content | Mail contents. Possible options: attachments/links & attachments/links/text only. | keyword | +| checkpoint.email_control | Engine name. | keyword | +| checkpoint.email_control_analysis | Message classification, received from spam vendor engine. | keyword | +| checkpoint.email_headers | String containing all the email headers. | keyword | +| checkpoint.email_id | Email number in smtp connection. | keyword | +| checkpoint.email_message_id | Email session id (uniqe ID of the mail). | keyword | +| checkpoint.email_queue_id | Postfix email queue id. | keyword | +| checkpoint.email_queue_name | Postfix email queue name. | keyword | +| checkpoint.email_recipients_num | Amount of recipients whom the mail was sent to. | long | +| checkpoint.email_session_id | Connection uuid. | keyword | +| checkpoint.email_spam_category | Email categories. Possible values: spam/not spam/phishing. | keyword | +| checkpoint.email_status | Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended | keyword | +| checkpoint.email_subject | Original email subject. | keyword | +| checkpoint.emulated_on | Images the files were emulated on. | keyword | +| checkpoint.encryption_failure | Message indicating why the encryption failed. | keyword | +| checkpoint.end_time | TCP connection end time. | keyword | +| checkpoint.end_user_firewall_type | End user firewall type. | keyword | +| checkpoint.esod_access_status | Access denied. | keyword | +| checkpoint.esod_associated_policies | Associated policies. | keyword | +| checkpoint.esod_noncompliance_reason | Non-compliance reason. | keyword | +| checkpoint.esod_rule_action | Unknown rule action. | keyword | +| checkpoint.esod_rule_name | Unknown rule name. | keyword | +| checkpoint.esod_rule_type | Unknown rule type. | keyword | +| checkpoint.esod_scan_status | Scan failed. | keyword | +| checkpoint.event_count | Number of events associated with the log. | long | +| checkpoint.expire_time | Connection closing time. | keyword | +| checkpoint.extension_version | Build version of the SandBlast Agent browser extension. | keyword | +| checkpoint.extracted_file_hash | Archive hash in case of extracted files. | keyword | +| checkpoint.extracted_file_names | Names of extracted files in case of an archive. | keyword | +| checkpoint.extracted_file_type | Types of extracted files in case of an archive. | keyword | +| checkpoint.extracted_file_uid | UID of extracted files in case of an archive. | keyword | +| checkpoint.extracted_file_verdict | Verdict of extracted files in case of an archive. | keyword | +| checkpoint.failure_impact | The impact of update service failure. | keyword | +| checkpoint.failure_reason | MTA failure description. | keyword | +| checkpoint.file_direction | File direction. Possible options: upload/download. | keyword | +| checkpoint.file_name | Malicious file name. | keyword | +| checkpoint.files_names | List of files requested by FTP. | keyword | +| checkpoint.first_hit_time | First hit time in current interval. | integer | +| checkpoint.fs-proto | The file share protocol used in mobile acess file share application. | keyword | +| checkpoint.ftp_user | FTP username. | keyword | +| checkpoint.fw_message | Used for various firewall errors. | keyword | +| checkpoint.fw_subproduct | Can be vpn/non vpn. | keyword | +| checkpoint.hide_ip | Source IP which will be used after CGNAT. | ip | +| checkpoint.hit | Number of hits on a rule. | integer | +| checkpoint.host_time | Local time on the endpoint computer. | keyword | +| checkpoint.http_host | Domain name of the server that the HTTP request is sent to. | keyword | +| checkpoint.http_location | Response header, indicates the URL to redirect a page to. | keyword | +| checkpoint.http_server | Server HTTP header value, contains information about the software used by the origin server, which handles the request. | keyword | +| checkpoint.https_inspection_action | HTTPS inspection action (Inspect/Bypass/Error). | keyword | +| checkpoint.https_inspection_rule_id | ID of the matched rule. | keyword | +| checkpoint.https_inspection_rule_name | Name of the matched rule. | keyword | +| checkpoint.https_validation | Precise error, describing HTTPS inspection failure. | keyword | +| checkpoint.icap_more_info | Free text for verdict. | integer | +| checkpoint.icap_server_name | Server name. | keyword | +| checkpoint.icap_server_service | Service name, as given in the ICAP URI | keyword | +| checkpoint.icap_service_id | Service ID, can work with multiple servers, treated as services. | integer | +| checkpoint.icmp | Number of packets, received by the client. | keyword | +| checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long | +| checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long | +| checkpoint.id | Override application ID. | integer | +| checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword | +| checkpoint.ike_ids | All QM ids. | keyword | +| checkpoint.impacted_files | In case of an infection on an endpoint computer, the list of files that the malware impacted. | keyword | +| checkpoint.incident_extension | Matched data type. | keyword | +| checkpoint.indicator_description | IOC indicator description. | keyword | +| checkpoint.indicator_name | IOC indicator name. | keyword | +| checkpoint.indicator_reference | IOC indicator reference. | keyword | +| checkpoint.indicator_uuid | IOC indicator uuid. | keyword | +| checkpoint.info | Special log message. | keyword | +| checkpoint.information | Policy installation status for a specific blade. | keyword | +| checkpoint.inspection_category | Inspection category: protocol anomaly, signature etc. | keyword | +| checkpoint.inspection_item | Blade element performed inspection. | keyword | +| checkpoint.inspection_profile | Profile which the activated protection belongs to. | keyword | +| checkpoint.inspection_settings_log | Indicats that the log was released by inspection settings. | keyword | +| checkpoint.installed_products | List of installed Endpoint Software Blades. | keyword | +| checkpoint.int_end | Subscriber end int which will be used for NAT. | integer | +| checkpoint.int_start | Subscriber start int which will be used for NAT. | integer | +| checkpoint.interface_name | Designated interface for mirror And decrypt. | keyword | +| checkpoint.internal_error | Internal error, for troubleshooting | keyword | +| checkpoint.invalid_file_size | File_size field is valid only if this field is set to 0. | integer | +| checkpoint.ip_option | IP option that was dropped. | integer | +| checkpoint.isp_link | Name of ISP link. | keyword | +| checkpoint.last_hit_time | Last hit time in current interval. | integer | +| checkpoint.last_rematch_time | Connection rematched time. | keyword | +| checkpoint.layer_name | Layer name. | keyword | +| checkpoint.layer_uuid | Layer UUID. | keyword | +| checkpoint.limit_applied | Indicates whether the session was actually date limited. | integer | +| checkpoint.limit_requested | Indicates whether data limit was requested for the session. | integer | +| checkpoint.link_probing_status_update | IP address response status. | keyword | +| checkpoint.links_num | Number of links in the mail. | integer | +| checkpoint.log_delay | Time left before deleting template. | integer | +| checkpoint.log_id | Unique identity for logs. | integer | +| checkpoint.logid | System messages | keyword | +| checkpoint.long_desc | More information on the process (usually describing error reason in failure). | keyword | +| checkpoint.machine | L2TP machine which triggered the log and the log refers to it. | keyword | +| checkpoint.malware_family | Additional information on protection. | keyword | +| checkpoint.match_fk | Rule number. | integer | +| checkpoint.match_id | Private key of the rule | integer | +| checkpoint.matched_file | Unique ID of the matched data type. | keyword | +| checkpoint.matched_file_percentage | Fingerprint: match percentage of the traffic. | integer | +| checkpoint.matched_file_text_segments | Fingerprint: number of text segments matched by this traffic. | integer | +| checkpoint.media_type | Media used (audio, video, etc.) | keyword | +| checkpoint.message | ISP link has failed. | keyword | +| checkpoint.message_info | Used for information messages, for example:NAT connection has ended. | keyword | +| checkpoint.message_size | Mail/post size. | integer | +| checkpoint.method | HTTP method. | keyword | +| checkpoint.methods | IPSEc methods. | keyword | +| checkpoint.mime_from | Sender's address. | keyword | +| checkpoint.mime_to | List of receiver address. | keyword | +| checkpoint.mirror_and_decrypt_type | Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). | keyword | +| checkpoint.mitre_collection | The adversary is trying to collect data of interest to achieve his goal. | keyword | +| checkpoint.mitre_command_and_control | The adversary is trying to communicate with compromised systems in order to control them. | keyword | +| checkpoint.mitre_credential_access | The adversary is trying to steal account names and passwords. | keyword | +| checkpoint.mitre_defense_evasion | The adversary is trying to avoid being detected. | keyword | +| checkpoint.mitre_discovery | The adversary is trying to expose information about your environment. | keyword | +| checkpoint.mitre_execution | The adversary is trying to run malicious code. | keyword | +| checkpoint.mitre_exfiltration | The adversary is trying to steal data. | keyword | +| checkpoint.mitre_impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data. | keyword | +| checkpoint.mitre_initial_access | The adversary is trying to break into your network. | keyword | +| checkpoint.mitre_lateral_movement | The adversary is trying to explore your environment. | keyword | +| checkpoint.mitre_persistence | The adversary is trying to maintain his foothold. | keyword | +| checkpoint.mitre_privilege_escalation | The adversary is trying to gain higher-level permissions. | keyword | +| checkpoint.monitor_reason | Aggregated logs of monitored packets. | keyword | +| checkpoint.msgid | Message ID. | keyword | +| checkpoint.name | Application name. | keyword | +| checkpoint.nat46 | NAT 46 status, in most cases "enabled". | keyword | +| checkpoint.nat_addtnl_rulenum | When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. | integer | +| checkpoint.nat_exhausted_pool | 4-tuple of an exhausted pool. | keyword | +| checkpoint.nat_rulenum | NAT rulebase first matched rule. | integer | +| checkpoint.needs_browse_time | Browse time required for the connection. | integer | +| checkpoint.next_hop_ip | Next hop IP address. | keyword | +| checkpoint.next_scheduled_scan_date | Next scan scheduled time according to time object. | keyword | +| checkpoint.number_of_errors | Number of files that were not scanned due to an error. | integer | +| checkpoint.objecttable | Table of affected objects. | keyword | +| checkpoint.objecttype | The type of the affected object. | keyword | +| checkpoint.observable_comment | IOC observable signature description. | keyword | +| checkpoint.observable_id | IOC observable signature id. | keyword | +| checkpoint.observable_name | IOC observable signature name. | keyword | +| checkpoint.operation | Operation made by Threat Extraction. | keyword | +| checkpoint.operation_number | The operation nuber. | keyword | +| checkpoint.origin_sic_name | Machine SIC. | keyword | +| checkpoint.original_queue_id | Original postfix email queue id. | keyword | +| checkpoint.outgoing_url | URL related to this log (for HTTP). | keyword | +| checkpoint.packet_amount | Amount of packets dropped. | integer | +| checkpoint.packet_capture_unique_id | Identifier of the packet capture files. | keyword | +| checkpoint.parent_file_hash | Archive's hash in case of extracted files. | keyword | +| checkpoint.parent_file_name | Archive's name in case of extracted files. | keyword | +| checkpoint.parent_file_uid | Archive's UID in case of extracted files. | keyword | +| checkpoint.parent_process_username | Owner username of the parent process of the process that triggered the attack. | keyword | +| checkpoint.parent_rule | Parent rule number, in case of inline layer. | integer | +| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip | +| checkpoint.peer_ip | IP address which the client connects to. | keyword | +| checkpoint.peer_ip_probing_status_update | IP address response status. | keyword | +| checkpoint.performance_impact | Protection performance impact. | integer | +| checkpoint.policy_mgmt | Name of the Management Server that manages this Security Gateway. | keyword | +| checkpoint.policy_name | Name of the last policy that this Security Gateway fetched. | keyword | +| checkpoint.ports_usage | Percentage of allocated ports. | integer | +| checkpoint.ppp | Authentication status. | keyword | +| checkpoint.precise_error | HTTP parser error. | keyword | +| checkpoint.process_username | Owner username of the process that triggered the attack. | keyword | +| checkpoint.properties | Application categories. | keyword | +| checkpoint.protection_id | Protection malware id. | keyword | +| checkpoint.protection_name | Specific signature name of the attack. | keyword | +| checkpoint.protection_type | Type of protection used to detect the attack. | keyword | +| checkpoint.protocol | Protocol detected on the connection. | keyword | +| checkpoint.proxy_machine_name | Machine name connected to proxy IP. | integer | +| checkpoint.proxy_src_ip | Sender source IP (even when using proxy). | ip | +| checkpoint.proxy_user_dn | User distinguished name connected to proxy IP. | keyword | +| checkpoint.proxy_user_name | User name connected to proxy IP. | keyword | +| checkpoint.query | DNS query. | keyword | +| checkpoint.question_rdata | List of question records domains. | keyword | +| checkpoint.referrer | Referrer HTTP request header, previous web page address. | keyword | +| checkpoint.referrer_parent_uid | Log UUID of the referring application. | keyword | +| checkpoint.referrer_self_uid | UUID of the current log. | keyword | +| checkpoint.registered_ip-phones | Registered IP-Phones. | keyword | +| checkpoint.reject_category | Authentication failure reason. | keyword | +| checkpoint.reject_id | A reject ID that corresponds to the one presented in the Mobile Access error page. | keyword | +| checkpoint.rematch_info | Information sent when old connections cannot be matched during policy installation. | keyword | +| checkpoint.remediated_files | In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. | keyword | +| checkpoint.reply_status | ICAP reply status code, e.g. 200 or 204. | integer | +| checkpoint.risk | Risk level we got from the engine. | keyword | +| checkpoint.rpc_prog | Log for new RPC state - prog values. | integer | +| checkpoint.rule | Matched rule number. | integer | +| checkpoint.rule_action | Action of the matched rule in the access policy. | keyword | +| checkpoint.rulebase_id | Layer number. | integer | +| checkpoint.scan_direction | Scan direction. | keyword | +| checkpoint.scan_hosts_day | Number of unique hosts during the last day. | integer | +| checkpoint.scan_hosts_hour | Number of unique hosts during the last hour. | integer | +| checkpoint.scan_hosts_week | Number of unique hosts during the last week. | integer | +| checkpoint.scan_id | Sequential number of scan. | keyword | +| checkpoint.scan_mail | Number of emails that were scanned by "AB malicious activity" engine. | integer | +| checkpoint.scan_results | "Infected"/description of a failure. | keyword | +| checkpoint.scheme | Describes the scheme used for the log. | keyword | +| checkpoint.scope | IP related to the attack. | keyword | +| checkpoint.scrub_activity | The result of the extraction | keyword | +| checkpoint.scrub_download_time | File download time from resource. | keyword | +| checkpoint.scrub_time | Extraction process duration. | keyword | +| checkpoint.scrub_total_time | Threat extraction total file handling time. | keyword | +| checkpoint.scrubbed_content | Active content that was found. | keyword | +| checkpoint.sctp_association_state | The bad state you were trying to update to. | keyword | +| checkpoint.sctp_error | Error information, what caused sctp to fail on out_of_state. | keyword | +| checkpoint.scv_message_info | Drop reason. | keyword | +| checkpoint.scv_user | Username whose packets are dropped on SCV. | keyword | +| checkpoint.securexl_message | Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. | keyword | +| checkpoint.session_id | Log uuid. | keyword | +| checkpoint.session_uid | HTTP session-id. | keyword | +| checkpoint.short_desc | Short description of the process that was executed. | keyword | +| checkpoint.sig_id | Application's signature ID which how it was detected by. | keyword | +| checkpoint.similar_communication | Network action found similar to the malicious file. | keyword | +| checkpoint.similar_hashes | Hashes found similar to the malicious file. | keyword | +| checkpoint.similar_strings | Strings found similar to the malicious file. | keyword | +| checkpoint.similiar_iocs | Other IoCs similar to the ones found, related to the malicious file. | keyword | +| checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword | +| checkpoint.site_name | Site name. | keyword | +| checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword | +| checkpoint.source_object | Matched object name on source column. | keyword | +| checkpoint.source_os | OS which generated the attack. | keyword | +| checkpoint.special_properties | If this field is set to '1' the log will not be shown (in use for monitoring scan progress). | integer | +| checkpoint.specific_data_type_name | Compound/Group scenario, data type that was matched. | keyword | +| checkpoint.speed | Current scan speed. | integer | +| checkpoint.spyware_name | Spyware name. | keyword | +| checkpoint.spyware_type | Spyware type. | keyword | +| checkpoint.src_country | Country name, derived from connection source IP address. | keyword | +| checkpoint.src_phone_number | Source IP-Phone. | keyword | +| checkpoint.src_user_dn | User distinguished name connected to source IP. | keyword | +| checkpoint.src_user_name | User name connected to source IP | keyword | +| checkpoint.srckeyid | Initiator Spi ID. | keyword | +| checkpoint.status | Ok/Warning/Error. | keyword | +| checkpoint.status_update | Last time log was updated. | keyword | +| checkpoint.sub_policy_name | Layer name. | keyword | +| checkpoint.sub_policy_uid | Layer uid. | keyword | +| checkpoint.subscriber | Source IP before CGNAT. | ip | +| checkpoint.summary | Summary message of a non-compliant DNS traffic drops or detects. | keyword | +| checkpoint.suppressed_logs | Aggregated connections for five minutes on the same source, destination and port. | integer | +| checkpoint.sync | Sync status and the reason (stable, at risk). | keyword | +| checkpoint.sys_message | System messages | keyword | +| checkpoint.tcp_end_reason | Reason for TCP connection closure. | keyword | +| checkpoint.tcp_flags | TCP packet flags (SYN, ACK, etc.,). | keyword | +| checkpoint.tcp_packet_out_of_state | State violation. | keyword | +| checkpoint.tcp_state | Log reinting a tcp state change. | keyword | +| checkpoint.te_verdict_determined_by | Emulators determined file verdict. | keyword | +| checkpoint.ticket_id | Unique ID per file. | keyword | +| checkpoint.tls_server_host_name | SNI/CN from encrypted TLS connection used by URLF for categorization. | keyword | +| checkpoint.top_archive_file_name | In case of archive file: the file that was sent/received. | keyword | +| checkpoint.total_attachments | The number of attachments in an email. | integer | +| checkpoint.triggered_by | The name of the mechanism that triggered the Software Blade to enforce a protection. | keyword | +| checkpoint.trusted_domain | In case of phishing event, the domain, which the attacker was impersonating. | keyword | +| checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer | +| checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer | +| checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer | +| checkpoint.update_status | Status of database update | keyword | +| checkpoint.url | Translated URL. | keyword | +| checkpoint.user | Source user name. | keyword | +| checkpoint.user_agent | String identifying requesting software user agent. | keyword | +| checkpoint.vendor_list | The vendor name that provided the verdict for a malicious URL. | keyword | +| checkpoint.verdict | TE engine verdict Possible values: Malicious/Benign/Error. | keyword | +| checkpoint.via | Via header is added by proxies for tracking purposes to avoid sending reqests in loop. | keyword | +| checkpoint.voip_attach_action_info | Attachment action Info. | keyword | +| checkpoint.voip_attach_sz | Attachment size. | integer | +| checkpoint.voip_call_dir | Call direction: in/out. | keyword | +| checkpoint.voip_call_id | Call-ID. | keyword | +| checkpoint.voip_call_state | Call state. Possible values: in/out. | keyword | +| checkpoint.voip_call_term_time | Call termination time stamp. | keyword | +| checkpoint.voip_config | Configuration. | keyword | +| checkpoint.voip_duration | Call duration (seconds). | keyword | +| checkpoint.voip_est_codec | Estimated codec. | keyword | +| checkpoint.voip_exp | Expiration. | integer | +| checkpoint.voip_from_user_type | Source IP-Phone type. | keyword | +| checkpoint.voip_log_type | VoIP log types. Possible values: reject, call, registration. | keyword | +| checkpoint.voip_media_codec | Estimated codec. | keyword | +| checkpoint.voip_media_ipp | Media IP protocol. | keyword | +| checkpoint.voip_media_port | Media int. | keyword | +| checkpoint.voip_method | Registration request. | keyword | +| checkpoint.voip_reason_info | Information. | keyword | +| checkpoint.voip_reg_int | Registration port. | integer | +| checkpoint.voip_reg_ipp | Registration IP protocol. | integer | +| checkpoint.voip_reg_period | Registration period. | integer | +| checkpoint.voip_reg_server | Registrar server IP address. | ip | +| checkpoint.voip_reg_user_type | Registered IP-Phone type. | keyword | +| checkpoint.voip_reject_reason | Reject reason. | keyword | +| checkpoint.voip_to_user_type | Destination IP-Phone type. | keyword | +| checkpoint.vpn_feature_name | L2TP /IKE / Link Selection. | keyword | +| checkpoint.watermark | Reports whether watermark is added to the cleaned file. | keyword | +| checkpoint.web_server_type | Web server detected in the HTTP response. | keyword | +| checkpoint.word_list | Words matched by data type. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.service.name | Name of the service data is collected from. | keyword | +| destination.user.email | User email address. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.bcc.address | The email address of BCC recipient | keyword | +| email.cc.address | The email address of CC recipient | keyword | +| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address of logs received over the network. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.hash.md5 | MD5 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.email | User email address. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | + diff --git a/packages/checkpoint/1.5.0/img/checkpoint-logo.svg b/packages/checkpoint/1.5.0/img/checkpoint-logo.svg new file mode 100755 index 0000000000..e71866e78c --- /dev/null +++ b/packages/checkpoint/1.5.0/img/checkpoint-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/checkpoint/1.5.0/manifest.yml b/packages/checkpoint/1.5.0/manifest.yml new file mode 100755 index 0000000000..2605e5ca2e --- /dev/null +++ b/packages/checkpoint/1.5.0/manifest.yml @@ -0,0 +1,109 @@ +name: checkpoint +title: Check Point +version: 1.5.0 +release: ga +description: Collect logs from Check Point with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/checkpoint-logo.svg + title: Check Point + size: 216x216 + type: image/svg+xml +policy_templates: + - name: checkpoint + title: Check Point logs + description: Collect logs from Check Point instances + inputs: + - type: logfile + title: "Collect Check Point firewall logs (input: logfile)" + description: "Collecting firewall logs from Check Point instances (input: logfile)" + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: internal_zones + type: text + title: Internal Zones + multi: true + required: false + show_user: false + default: + - trust + - name: external_zones + type: text + title: External Zones + multi: true + required: false + show_user: false + default: + - untrust + - type: tcp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9001 + - name: internal_zones + type: text + title: Internal Zones + multi: true + required: false + show_user: false + - name: external_zones + type: text + title: External Zones + multi: true + required: false + show_user: false + title: "Collect Check Point firewall logs (input: tcp)" + description: "Collecting firewall logs from Check Point instances (input: tcp)" + - type: udp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9001 + - name: internal_zones + type: text + title: Internal Zones + multi: true + required: false + show_user: false + - name: external_zones + type: text + title: External Zones + multi: true + required: false + show_user: false + title: "Collect Check Point firewall logs (input: udp)" + description: "Collecting firewall logs from Check Point instances (input: udp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_asa/2.4.1/changelog.yml b/packages/cisco_asa/2.4.1/changelog.yml new file mode 100755 index 0000000000..f2836b68e1 --- /dev/null +++ b/packages/cisco_asa/2.4.1/changelog.yml @@ -0,0 +1,102 @@ +# newer versions go on top +- version: "2.4.1" + changes: + - description: Ensure invalid event.outcome does not get recorded in event + type: bugfix + link: https://github.com/elastic/integrations/pull/3354 +- version: "2.4.0" + changes: + - description: Add TCP input with TLS support + type: enhancement + link: https://github.com/elastic/integrations/pull/3312 +- version: "2.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "2.2.2" + changes: + - description: Change visualizations to use event.code instead of cisco.asa.message_id. + type: bugfix + link: https://github.com/elastic/integrations/pull/3146 +- version: "2.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.2.0" + changes: + - description: Add community_id processor, update 805001, 304001, 106023 and 602304 message parsing. elastic/beats#26879 + type: enhancement + link: https://github.com/elastic/integrations/pull/2820 + - description: Add user.name field to ASA Security negotiation log line. elastic/beats#26975 + type: enhancement + link: https://github.com/elastic/integrations/pull/2820 + - description: Change event.outcome and event.type handling to be more ECS compliant. elastic/beats#29698 + type: enhancement + link: https://github.com/elastic/integrations/pull/2820 +- version: "2.1.0" + changes: + - description: Add parsing for event code 113029-113040 + type: enhancement + link: https://github.com/elastic/integrations/pull/2535 +- version: "2.0.1" + changes: + - description: Clarify configuration option documentation + type: bugfix + link: https://github.com/elastic/integrations/pull/2649 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2389 +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2236 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1952 +- version: "1.2.1" + changes: + - description: Relax time parsing and capture group and session type in Cisco ASA module + type: bugfix + link: https://github.com/elastic/integrations/pull/1891 +- version: "1.2.0" + changes: + - description: Add support for Cisco ASA SIP events + type: enhancement + link: https://github.com/elastic/integrations/pull/1865 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1805 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1782 +- version: "1.0.1" + changes: + - description: Adding missing ECS fields + type: bugfix + link: https://github.com/elastic/integrations/pull/1732 +- version: "1.0.0" + changes: + - description: Split Cisco ASA into its own package + type: enhancement + link: https://github.com/elastic/integrations/pull/1583 diff --git a/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..1190ec3f3c --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..169989f2d7 --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,22 @@ +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..e01f113448 --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/cisco_asa/2.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/2.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..727d8b4eb3 --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2113 @@ +--- +description: "Pipeline for Cisco ASA logs" +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: ecs.version + value: '8.2.0' + # + # Parse the syslog header + # + # This populates the host.hostname, process.name, timestamp and other fields + # from the header and stores the message contents in _temp_.full_message. + - grok: + field: event.original + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^%\\s:\\[]+)" + SYSLOG_END: "(?:(:|\\s)\\s+)" + # exactly match the syntax for firepower management logs + PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" + HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + + # + # Parse FTD/ASA style message + # + # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: _temp_.full_message + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" + + # + # Create missing fields when no %FTD label is present + # + # message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: "" + if: "ctx?._temp_?.cisco?.message_id == null" + + # + # set default event.severity to 7 (debug): + # + # This value is read from the EMBLEM header and won't be present if this is not + # an emblem message (firewalls can be configured to report other kinds of events) + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + + # + # Parse the date included in FTD logs + # + - date: + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + - date: + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" + timezone: "{{ event.timezone }}" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + + # + # Set log.level + # + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # + # Firewall messages + # + # This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + description: "106001" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + description: "106002" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + description: "106006" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + description: "106007" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + description: "106010" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + description: "106013" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + description: "106013" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + description: "106013" + value: inbound + - grok: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + description: "106014" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" + - grok: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + description: "106015" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" + - grok: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + description: "106023" + patterns: + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + description: "106027" + pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + description: "106100" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + description: "106103" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + description: "111004" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + description: "111004" + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + description: "111004" + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + description: "111004" + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + description: "111010" + patterns: + - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + description: "113019" + pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113040'" + field: "message" + description: "113040" + pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}." + - grok: + if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039" + patterns: + - "Group %{NOTSPACE:source.user.group.name} User %{USER:source.user.name} IP %{IP:source.address}" + - grok: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "302013, 302015" + patterns: + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + description: "303002" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - grok: + if: "ctx._temp_.cisco.message_id == '305012'" + field: "message" + description: "305012" + patterns: + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + description: "302020" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" + - grok: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + description: "304001" + patterns: + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + description: "304001" + value: allowed + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + description: "304002" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - grok: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + description: "313001" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + description: "313004" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + description: "313005" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + description: "313008" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + description: "313009" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + description: "322001" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + description: "338001" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + description: "338001" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + description: "338002" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + description: "338002" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + description: "338003" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + description: "338004" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + description: "338005" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + description: "338005" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + description: "338006" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + description: "338006" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + description: "338007" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + description: "338008" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + description: "338101" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + description: "338101" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + description: "338102" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + description: "338102" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + description: "338103" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + description: "338104" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + description: "338201" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + description: "338201" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + description: "338202" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + description: "338202" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + description: "338203" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + description: "338203" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + description: "338204" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + description: "338204" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + description: "338301" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.address" + description: "338301" + value: "{{destination.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + description: "338301" + value: "{{destination.port}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.address" + description: "338301" + value: "{{source.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + description: "338301" + value: "{{source.port}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + description: "502103" + pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + description: "502103" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + description: "502103" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + description: "507003" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "605004, 605005" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + description: "609001" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '607001'" + field: "message" + description: "607001" + pattern: "Pre-allocate SIP %{_temp_.cisco.connection_type} secondary channel for %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} to %{_temp_.cisco.source_interface}:%{source.address} from %{_temp_.cisco.message} message" + - grok: + if: "ctx._temp_.cisco.message_id == '607001'" + description: "607001" + field: "_temp_.cisco.connection_type" + patterns: + - "%{CONNECTION}" + pattern_definitions: + TRANSPORTS: "(?:UDP|TCP)" + PROTOCOLS: "(?:RTP|RTCP)" + CONNECTION: "(?:%{TRANSPORTS:network.transport}|%{PROTOCOLS:network.protocol})" + ignore_failure: true + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + description: "609002" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "611102, 611101" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true + - grok: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - grok: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + description: "733100" + patterns: + - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + description: "734001" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + description: "805001" + pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + description: "805002" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - split: + field: "_temp_.cisco.dap_records" + separator: ",\\s+" + ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "dropped" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "dropped" + - set: + if: '["713901", "713902", "713903", "713904", "713905"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["113039"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-connected" + - set: + if: '["113029","113030","113031","113032","113033","113034","113035","113036","113037","113038"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-error" + - set: + if: '["113040"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-disconnected" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # + # Handle 302xxx messages (Flow expiration a.k.a "Teardown") + # + - set: + if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-expiration" + description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + - grok: + field: "message" + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" + patterns: + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + + # + # Decode FTD's Security Event Syslog Messages + # + # 43000x messages are security event syslog messages specific to FTD. + # Format is a comma-separated sequence of key: value pairs. + # + # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "430001, 430002, 430003, 430004, 430005" + field_split: ",(?=[A-za-z1-9\\s]+:)" + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true + + # + # Remove _temp_.full_message. + # + # The field has been used as temporary buffer while decoding. The full message + # is kept under event.original. Processors below can still add a message field, as some + # security events contain an explanatory Message field. + - remove: + field: + - message + - _temp_.full_message + ignore_missing: true + + # + # Populate ECS fields from Security Events + # + # This script uses the key-value pairs from Security Events to populate + # the appropriate ECS fields. + # + # A single key can be mapped to multiple ECS fields, and more than one key can + # map to the same ECS field, which results in an array being created. + # + # This script performs an additional job: + # + # Before FTD version 6.3, the message_id was not included in Security Events. + # As this field encodes the kind of event (intrusion, connection, malware...) + # the script below will guess the right message_id from the keys present in + # the event. + # + # The reason for overloading this script with different behaviors is + # that this pipeline is already reaching the limit on script compilations. + # + #******************************************************************************* + # Code generated by go generate. DO NOT EDIT. + #******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.address] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.address] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.address] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } + } + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); + #******************************************************************************* + # End of generated code. + #******************************************************************************* + + # + # Normalize ECS field values + # + - script: + lang: painless + params: + "ctx._temp_.cisco.message_id": + target: event.action + map: + "430001": intrusion-detected + "430002": connection-started + "430003": connection-finished + "430004": file-detected + "430005": malware-detected + "dns.question.type": + map: + "a host address": A + "ip6 address": AAAA + "text strings": TXT + "a domain name pointer": PTR + "an authoritative name server": NS + "the canonical name for an alias": CNAME + "marks the start of a zone of authority": SOA + "mail exchange": MX + "server selection": SRV + "dns.response_code": + map: + "non-existent domain": NXDOMAIN + "server failure": SERVFAIL + "query refused": REFUSED + "no error": NOERROR + source: | + def getField(Map src, String[] path) { + for (int i=0; i new HashMap()); + } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } + - set: + if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" + field: dns.response_code + value: NOERROR + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + + # + # Handle event.duration + # + # It can be set from ConnectionDuration FTD field above. This field holds + # seconds as a string. Copy it to _temp_.duration_hms so that the following + # processor converts it to the right value and populates start and end. + - set: + field: "_temp_.duration_hms" + value: "{{event.duration}}" + ignore_empty_value: true + + # + # Process the flow duration "hh:mm:ss" present in some messages + # This will fill event.start, event.end and event.duration + # + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + # + # Parse Source/Dest Username/Domain + # + - set: + field: source.user.name + value: "{{{ _temp_.cisco.source_username }}}" + if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + - set: + field: destination.user.name + value: "{{{ _temp_.cisco.destination_username }}}" + if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + - grok: + field: "source.user.name" + if: 'ctx?.source?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? + - grok: + field: "destination.user.name" + if: 'ctx?.destination?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + - lowercase: + field: "network.direction" + ignore_failure: true + - lowercase: + field: "network.type" + ignore_failure: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + # + # Normalize event.outcome + # + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "est-allowed"' + value: "allowed" + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "permitted"' + value: "allowed" + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "allow"' + value: allowed + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "deny"' + value: denied + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" + # + # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string + # + - convert: + field: source.port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: destination.port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: network.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: source.packets + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: destination.packets + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.mapped_source_port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.mapped_destination_port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.icmp_code + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.icmp_type + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: http.response.status_code + type: integer + ignore_failure: true + - convert: + field: file.size + type: integer + ignore_failure: true + - convert: + field: network.iana_number + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: sip.to.uri.port + type: integer + ignore_failure: true + # + # Assign ECS .ip fields from .address is a valid IP address is found, + # otherwise set .domain field. + # + - grok: + field: source.address + patterns: + - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" + ignore_failure: true + - grok: + field: client.address + patterns: + - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" + ignore_failure: true + - grok: + field: server.address + patterns: + - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" + ignore_failure: true + # + # Geolocation for source and destination addresses + # + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + # + # IP Autonomous System (AS) Lookup + # + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # + # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. + # + - grok: + field: _temp_.natsrcip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" + ignore_failure: true + - grok: + field: _temp_.natdstip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" + ignore_failure: true + # + # NAT fields + # + # The firewall always populates mapped ip and port even if there was no NAT. + # This populates both nat.ip and nat.port only when some translation is done. + # Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{_temp_.cisco.mapped_source_ip}}" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + ignore_empty_value: true + - convert: + field: source.nat.ip + type: ip + ignore_missing: true + - set: + field: source.nat.port + value: "{{_temp_.cisco.mapped_source_port}}" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + ignore_empty_value: true + - convert: + field: source.nat.port + type: long + ignore_missing: true + - set: + field: destination.nat.ip + value: "{{_temp_.cisco.mapped_destination_ip}}" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + ignore_empty_value: true + - convert: + field: destination.nat.ip + type: ip + ignore_missing: true + - set: + field: destination.nat.port + value: "{{_temp_.cisco.mapped_destination_port}}" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + ignore_empty_value: true + - convert: + field: destination.nat.port + type: long + ignore_missing: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{url.domain}}" + ignore_failure: true + if: ctx?.url?.domain != null + + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{_temp_.url_domain}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null + + # + # Populate ECS event.code + # + - rename: + field: _temp_.cisco.message_id + target_field: event.code + ignore_failure: true + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true + # + # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. + # + - rename: + field: _temp_.cisco + target_field: "cisco.asa" + ignore_failure: true + # + # Remove temporary fields + # + - remove: + field: _temp_ + ignore_missing: true + # + # Rename some 7.x fields + # + - rename: + field: cisco.asa.list_id + target_field: cisco.asa.rule_name + ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - end + connection-started: + kind: event + category: + - network + type: + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: [] + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + malware-detected: + kind: alert + category: + - malware + type: + - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user + client-vpn-connected: + kind: event + category: + - network + - session + type: + - connection + - start + client-vpn-error: + kind: event + category: + - network + type: + - connection + - error + - denied + client-vpn-disconnected: + kind: event + category: + - network + type: + - connection + - end + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + if (ctx?.event?.outcome == null || (!ctx.event.category.contains('network') && !ctx.event.category.contains('intrusion_detection'))) { + if (ctx?.event?.action == 'firewall-rule') { + ctx.event.type.add('info'); + } else if (ctx?.event?.action.startsWith('connection-')) { + ctx.event.type.add('connection'); + } + return; + } + if (ctx.event.outcome == 'allowed') { + ctx.event.outcome = 'success'; + ctx.event.type.add('connection'); + ctx.event.type.add('allowed'); + } else if (ctx.event.outcome == 'denied' || ctx.event.outcome == 'block') { + ctx.event.outcome = 'success'; + ctx.event.type.add('connection'); + ctx.event.type.add('denied'); + } else if (ctx.event.outcome == 'dropped') { + ctx.event.outcome = 'failure'; + ctx.event.type.add('connection'); + ctx.event.type.add('denied'); + } else if (ctx?.event?.action == 'firewall-rule') { + ctx.event.type.add('info'); + } else if (ctx?.event?.action.startsWith('connection-')) { + ctx.event.type.add('connection'); + } + if (ctx.event.outcome == 'monitored') { + ctx.event.category.add('intrusion_detection'); + ctx.event.outcome = 'success'; + } + + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "asa" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.asa.destination_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.asa.source_interface }}" + ignore_empty_value: true + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null && ctx?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{server.user.name}}" + if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{source.user.name}}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{destination.user.name}}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false + - append: + field: related.hash + value: "{{file.hash.sha256}}" + if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.user.domain}}" + if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.user.domain}}" + if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' + allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - community_id: + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + # Copy any fields under _temp_.cisco to its final destination. Those can help + # with diagnosing the failure. + - rename: + field: _temp_.cisco + target_field: "cisco.asa" + ignore_failure: true + # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. + - remove: + field: _temp_ + ignore_missing: true + - append: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_asa/2.4.1/data_stream/log/fields/agent.yml b/packages/cisco_asa/2.4.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..d38a70bd6b --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_asa/2.4.1/data_stream/log/fields/base-fields.yml b/packages/cisco_asa/2.4.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..efbed64fad --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_asa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_asa.log +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_asa/2.4.1/data_stream/log/fields/ecs.yml b/packages/cisco_asa/2.4.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..a68d2bcc32 --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,502 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Port of the server. + name: server.port + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip diff --git a/packages/cisco_asa/2.4.1/data_stream/log/fields/fields.yml b/packages/cisco_asa/2.4.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..a1e912f401 --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/fields/fields.yml @@ -0,0 +1,209 @@ +- name: cisco.asa + type: group + fields: + - name: message_id + type: keyword + description: > + The Cisco ASA message identifier. + + - name: suffix + type: keyword + description: > + Optional suffix after %ASA identifier. + + - name: source_interface + type: keyword + description: > + Source interface for the flow or event. + + - name: destination_interface + type: keyword + description: > + Destination interface for the flow or event. + + - name: rule_name + type: keyword + description: > + Name of the Access Control List rule that matched this event. + + - name: source_username + type: keyword + description: > + Name of the user that is the source for this event. + + - name: destination_username + type: keyword + description: > + Name of the user that is the destination for this event. + + - name: mapped_source_ip + type: ip + description: > + The translated source IP address. + + - name: mapped_source_port + type: long + description: > + The translated source port. + + - name: mapped_destination_ip + type: ip + description: > + The translated destination IP address. + + - name: mapped_destination_port + type: long + description: > + The translated destination port. + + - name: threat_level + type: keyword + description: > + Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + + - name: threat_category + type: keyword + description: > + Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + + - name: connection_id + type: keyword + description: > + Unique identifier for a flow. + + - name: icmp_type + type: short + description: > + ICMP type. + + - name: icmp_code + type: short + description: > + ICMP code. + + - name: connection_type + type: keyword + description: > + The VPN connection type + + - name: session_type + type: keyword + default_field: false + description: > + Session type (for example, IPsec or UDP). + + - name: dap_records + type: keyword + description: > + The assigned DAP records + + - name: mapped_destination_host + type: keyword + - name: username + type: keyword + - name: mapped_source_host + type: keyword + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared + + - name: security + type: flattened + description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: > + The WebVPN group name the user belongs to + + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown + + - name: tunnel_type + type: keyword + default_field: false + description: > + SA type (remote access or L2L) + + - name: termination_user + default_field: false + type: keyword + description: > + AAA name of user requesting termination + + - name: message + default_field: false + type: keyword + description: >- + The message associated with SIP and Skinny VoIP events +- name: syslog.facility.code + type: long + description: Syslog numeric facility of the event. +- name: syslog.priority + type: long + description: Syslog priority of the event. diff --git a/packages/cisco_asa/2.4.1/data_stream/log/manifest.yml b/packages/cisco_asa/2.4.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..152d8d7d7a --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/manifest.yml @@ -0,0 +1,175 @@ +title: Cisco ASA logs +type: logs +streams: + - input: udp + title: Cisco ASA logs + description: Collect Cisco ASA logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9001 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco ASA logs + description: Collect Cisco ASA logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9001 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - input: logfile + enabled: false + title: Cisco ASA logs + description: Collect Cisco ASA logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-asa.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_asa/2.4.1/data_stream/log/sample_event.json b/packages/cisco_asa/2.4.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..7d6958b5c6 --- /dev/null +++ b/packages/cisco_asa/2.4.1/data_stream/log/sample_event.json @@ -0,0 +1,107 @@ +{ + "@timestamp": "2018-10-10T12:34:56.000Z", + "agent": { + "ephemeral_id": "20ad3c57-e3e6-4064-a346-d303aa6d401e", + "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "data_stream": { + "dataset": "cisco_asa.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8256 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "305011", + "dataset": "cisco_asa.log", + "ingested": "2022-05-16T01:09:09Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", + "severity": 6, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "informational", + "source": { + "address": "192.168.160.4:44914" + } + }, + "network": { + "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "192.168.98.44" + ] + }, + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event", + "cisco-asa", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/docs/README.md b/packages/cisco_asa/2.4.1/docs/README.md new file mode 100755 index 0000000000..f46ca4ceb7 --- /dev/null +++ b/packages/cisco_asa/2.4.1/docs/README.md @@ -0,0 +1,329 @@ +# Cisco ASA Integration + +This integration is for Cisco ASA network device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: + +- `log` dataset: supports Cisco ASA firewall logs. + +## Logs + +### ASA + +The `log` dataset collects the Cisco ASA firewall logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2018-10-10T12:34:56.000Z", + "agent": { + "ephemeral_id": "20ad3c57-e3e6-4064-a346-d303aa6d401e", + "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "data_stream": { + "dataset": "cisco_asa.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8256 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "305011", + "dataset": "cisco_asa.log", + "ingested": "2022-05-16T01:09:09Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", + "severity": 6, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "informational", + "source": { + "address": "192.168.160.4:44914" + } + }, + "network": { + "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "192.168.98.44" + ] + }, + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event", + "cisco-asa", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | +| cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | +| cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | +| cisco.asa.burst.configured_rate | The current configured burst rate | keyword | +| cisco.asa.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | +| cisco.asa.burst.current_rate | The current burst rate seen | keyword | +| cisco.asa.burst.id | The related rate ID for burst warnings | keyword | +| cisco.asa.burst.object | The related object for burst warnings | keyword | +| cisco.asa.command_line_arguments | The command line arguments logged by the local audit log | keyword | +| cisco.asa.connection_id | Unique identifier for a flow. | keyword | +| cisco.asa.connection_type | The VPN connection type | keyword | +| cisco.asa.dap_records | The assigned DAP records | keyword | +| cisco.asa.destination_interface | Destination interface for the flow or event. | keyword | +| cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword | +| cisco.asa.icmp_code | ICMP code. | short | +| cisco.asa.icmp_type | ICMP type. | short | +| cisco.asa.mapped_destination_host | | keyword | +| cisco.asa.mapped_destination_ip | The translated destination IP address. | ip | +| cisco.asa.mapped_destination_port | The translated destination port. | long | +| cisco.asa.mapped_source_host | | keyword | +| cisco.asa.mapped_source_ip | The translated source IP address. | ip | +| cisco.asa.mapped_source_port | The translated source port. | long | +| cisco.asa.message | The message associated with SIP and Skinny VoIP events | keyword | +| cisco.asa.message_id | The Cisco ASA message identifier. | keyword | +| cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword | +| cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword | +| cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword | +| cisco.asa.security | Cisco FTD security event fields. | flattened | +| cisco.asa.session_type | Session type (for example, IPsec or UDP). | keyword | +| cisco.asa.source_interface | Source interface for the flow or event. | keyword | +| cisco.asa.source_username | Name of the user that is the source for this event. | keyword | +| cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | +| cisco.asa.termination_initiator | Interface name of the side that initiated the teardown | keyword | +| cisco.asa.termination_user | AAA name of user requesting termination | keyword | +| cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | +| cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.asa.tunnel_type | SA type (remote access or L2L) | keyword | +| cisco.asa.username | | keyword | +| cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| syslog.facility.code | Syslog numeric facility of the event. | long | +| syslog.priority | Syslog priority of the event. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_asa/2.4.1/img/cisco.svg b/packages/cisco_asa/2.4.1/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_asa/2.4.1/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/img/kibana-cisco-asa.png b/packages/cisco_asa/2.4.1/img/kibana-cisco-asa.png new file mode 100755 index 0000000000..ad51be2204 Binary files /dev/null and b/packages/cisco_asa/2.4.1/img/kibana-cisco-asa.png differ diff --git a/packages/cisco_asa/2.4.1/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..be56be76ce --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "description": "Sample dashboard for Cisco ASA Firewall devices", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Destination Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Source Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"ASA Firewall Events Over Time\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"ASA Flows by Network Bytes\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Blocked by Source\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_5\",\"title\":\"Top ACL by Blocked\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"9\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Cisco] ASA Firewall", + "version": 1 + }, + "id": "cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..c4e9b835ce --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "All ASA Logs [Cisco]", + "version": 1 + }, + "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..827e718b96 --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"flow-expiration\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "ASA Firewall flows [Cisco]", + "version": 1 + }, + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..ecea457cb0 --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"firewall-rule\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "ASA Firewall Events [Cisco]", + "version": 1 + }, + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..3d47d84b87 --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.outcome:\\\"deny\\\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Top ACL by Blocked [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ACL ID\",\"field\":\"cisco.asa.rule_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Top ACL by Blocked [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..6f81464b3a --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Port and Transport [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Destination Port and Transport [Cisco]\",\"type\":\"pie\"}" + }, + "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..68171576d0 --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Source Port and Transport [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Source Port and Transport [Cisco]\",\"type\":\"pie\"}" + }, + "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..a39f27880f --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Flows by Network Bytes [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"3\",\"label\":\"Total bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total bytes\"},\"type\":\"value\"}]},\"title\":\"ASA Flows by Network Bytes [Cisco]\",\"type\":\"histogram\"}" + }, + "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..67b75fd248 --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Events Over Time [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"ASA Events Over Time [Cisco]\",\"type\":\"histogram\"}" + }, + "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..cab50f4d5c --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Firewall Blocked by Source [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Firewall Blocked by Source [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..0b55816042 --- /dev/null +++ b/packages/cisco_asa/2.4.1/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top ASA Messages [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ID\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Severity\",\"field\":\"log.level\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Sample message\",\"field\":\"event.original\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top ASA Messages [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.4.1/manifest.yml b/packages/cisco_asa/2.4.1/manifest.yml new file mode 100755 index 0000000000..00ed044288 --- /dev/null +++ b/packages/cisco_asa/2.4.1/manifest.yml @@ -0,0 +1,39 @@ +format_version: 1.0.0 +name: cisco_asa +title: Cisco ASA +version: 2.4.1 +license: basic +description: Collect logs from Cisco ASA with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +screenshots: + - src: /img/kibana-cisco-asa.png + title: kibana cisco asa + size: 1800x1559 + type: image/png +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_asa + title: Cisco ASA logs + description: Collect logs from Cisco ASA instances + inputs: + - type: tcp + title: Collect logs from Cisco ASA via TCP + description: Collecting logs from Cisco ASA via TCP + - type: udp + title: Collect logs from Cisco ASA via UDP + description: Collecting logs from Cisco ASA via UDP + - type: logfile + title: Collect logs from Cisco ASA via file + description: Collecting logs from Cisco ASA via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_duo/1.2.2/changelog.yml b/packages/cisco_duo/1.2.2/changelog.yml new file mode 100755 index 0000000000..d2546650b0 --- /dev/null +++ b/packages/cisco_duo/1.2.2/changelog.yml @@ -0,0 +1,76 @@ +# newer versions go on top +- version: "1.2.2" + changes: + - description: Fix invalid value for `event.outcome` in auth data set + type: bugfix + link: https://github.com/elastic/integrations/pull/3333 +- version: "1.2.1" + changes: + - description: Added link to Duo documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/2929 +- version: "1.2.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "1.1.6" + changes: + - description: Simplify IP grok patterns. + type: enhancement + link: https://github.com/elastic/integrations/pull/3170 +- version: "1.1.5" + changes: + - description: Fix handling of IP addresses with port numbers. + type: bugfix + link: https://github.com/elastic/integrations/pull/3117 +- version: "1.1.4" + changes: + - description: Fix dashboard issues. + type: bugfix + link: https://github.com/elastic/integrations/pull/3030 +- version: "1.1.3" + changes: + - description: Add mapping for event.created. + type: bugfix + link: https://github.com/elastic/integrations/pull/3021 +- version: "1.1.2" + changes: + - description: Make fields agree with ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3018 +- version: "1.1.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.1.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2390 +- version: "1.0.0" + changes: + - description: GA integration + type: enhancement + link: https://github.com/elastic/integrations/pull/2360 +- version: "0.2.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2249 +- version: "0.1.1" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1953 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1629 diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.2.2/data_stream/admin/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..5e8eee5bc7 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/agent/stream/httpjson.yml.hbs @@ -0,0 +1,34 @@ +config_version: 2 +interval: {{interval}} +request.method: GET +request.url: {{hostname}}/admin/v1/logs/administrator +request.transforms: + - set: + target: url.params.mintime + value: '[[.cursor.last_published]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: header.Date + value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]' + - set: + target: header.Authorization + value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/logs/administrator" "\n" .url.RawQuery)))]]' +response.split: + target: body.response +cursor: + last_published: + value: '[[toInt .last_event.timestamp]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.2.2/data_stream/admin/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..51f1d16664 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,155 @@ +--- +description: Pipeline for parsing cisco_duo administrator logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.timestamp + - json.action + - json.description + - json.object + - json.username + target_field: _id + ignore_missing: true + - date: + field: json.timestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - UNIX + - set: + field: event.category + value: iam + if: ctx?.json?.action instanceof String && ['admin_2fa_error','admin_account_switch','admin_activation_create','admin_activation_delete','admin_activate_duo_push','admin_create','admin_delete','admin_factor_restrictions_update','admin_login','admin_login_error','admin_reactivates_duo_push','admin_reset_password','admin_self_activate','admin_send_reset_password_email','admin_update','adminapi_request_ip_denied','bypass_create','bypass_delete','bypass_view','phone_associate','phone_create','phone_delete','phone_disassociate','phone_update','group_create','group_delete','group_update','user_bulk_activate','user_bulk_enroll','user_create','user_delete','user_import','user_pending_delete','user_restore','user_update'].contains(ctx?.json?.action) + - set: + field: event.kind + value: event + - set: + field: event.outcome + value: success + - set: + field: event.outcome + value: failure + if: ctx?.json?.action instanceof String && ['ad_sync_failed','admin_2fa_error','admin_login_error','azure_sync_fail','openldap_sync_failed'].contains(ctx?.json?.action) + - append: + field: event.type + value: admin + if: ctx?.json?.action instanceof String && ['activation_create_link','activation_delete_link','activation_send_link','admin_2fa_error','admin_account_switch','admin_activation_create','admin_activation_delete','admin_activate_duo_push','admin_create','admin_delete','admin_factor_restrictions_update','admin_login','admin_login_error','admin_reactivates_duo_push','admin_reset_password','admin_self_activate','admin_send_reset_password_email','admin_update','adminapi_request_ip_denied'].contains(ctx?.json?.action) + - append: + field: event.type + value: group + if: ctx?.json?.action instanceof String && ['group_create','group_delete','group_update','integration_group_policy_add','integration_group_policy_remove','policy_create','policy_delete','policy_update'].contains(ctx?.json?.action) + - append: + field: event.type + value: user + if: ctx?.json?.action instanceof String && ['ad_sync_by_user_begin','ad_sync_by_user_finish','azure_sync_by_user_begin','azure_sync_by_user_finish','bypass_create','bypass_delete','bypass_view','openldap_sync_begin','openldap_sync_by_user_begin','phone_associate','phone_create','phone_delete','phone_disassociate','phone_update','user_bulk_activate','user_bulk_enroll','user_create','user_delete','user_import','user_pending_delete','user_restore','user_update'].contains(ctx?.json?.action) + - append: + field: event.type + value: info + if: ctx?.json?.action instanceof String && ['ad_sync_begin','ad_sync_failed','ad_sync_finish','azure_directory_create','azure_directory_update','azure_directory_delete','azure_sync_begin','azure_sync_finish','azure_sync_fail','create_child_customer','credits_update','customer_update','delete_child_customer','directory_create','directory_delete','directory_groups_update','directory_sync_pause','directory_sync_resume','directory_update','edition_update','feature_add','feature_delete','hardtoken_create','hardtoken_delete','hardtoken_resync','hardtoken_update','integration_create','integration_delete','integration_policy_assign','integration_policy_unassign','integration_skey_view','integration_update','openldap_sync_by_user_finish','openldap_sync_config_download','openldap_sync_failed','openldap_sync_finish','regen_mobile','regen_sms','resend_enroll_codes','send_enroll_code'].contains(ctx?.json?.action) + - append: + field: event.type + value: creation + if: ctx?.json?.action instanceof String && ctx?.json?.action?.contains("create") + - append: + field: event.type + value: change + if: ctx?.json?.action instanceof String && ctx?.json?.action?.contains("update") + - append: + field: event.type + value: deletion + if: ctx?.json?.action instanceof String && ctx?.json?.action?.contains("delete") + - set: + field: message + copy_from: json.description + if: ctx?.json?.description != null + - json: + field: json.description + target_field: cisco_duo.admin.flattened + if: ctx?.json?.description != null + ignore_failure: true + - set: + field: event.reason + value: "{{{message}}}" + - set: + field: event.action + copy_from: json.action + if: ctx?.json?.action != null + - set: + field: user.name + copy_from: json.username + if: ctx?.json?.username != null + - set: + field: user.email + copy_from: cisco_duo.admin.flattened.email + if: ctx?.event?.action == "admin_self_activate" + ignore_failure: true + - set: + field: user.changes.name + copy_from: cisco_duo.admin.flattened.realname + if: ctx?.event?.action == "user_update" + ignore_failure: true + - set: + field: user.changes.email + copy_from: cisco_duo.admin.flattened.email + if: ctx?.event?.action == "user_update" + ignore_failure: true + - set: + field: user.target.name + copy_from: json.object + if: ctx?.json?.object != null + - rename: + field: json.action + target_field: cisco_duo.admin.action + ignore_missing: true + - rename: + field: json.username + target_field: cisco_duo.admin.user.name + ignore_missing: true + - rename: + field: json.object + target_field: cisco_duo.admin.action_performed_on + if: ctx?.json?.object != null + - remove: + field: + - message + - event.reason + if: ctx?.cisco_duo?.admin?.flattened != null + - remove: + field: json + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/fields/agent.yml b/packages/cisco_duo/1.2.2/data_stream/admin/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/fields/base-fields.yml b/packages/cisco_duo/1.2.2/data_stream/admin/fields/base-fields.yml new file mode 100755 index 0000000000..9ca6a026e5 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_duo +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_duo.admin +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/fields/ecs.yml b/packages/cisco_duo/1.2.2/data_stream/admin/fields/ecs.yml new file mode 100755 index 0000000000..bcb1a42b7a --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/fields/ecs.yml @@ -0,0 +1,108 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. + For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. + If no validation is performed then the field should be omitted. + The allowed values are: + `verified` - The `agent.id` field value matches expected value obtained from auth metadata. + `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. + `missing` - There was no `agent.id` field in the event to validate. + `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. + name: event.agent_id_status + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: User email address. + name: user.changes.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.changes.name + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/fields/fields.yml b/packages/cisco_duo/1.2.2/data_stream/admin/fields/fields.yml new file mode 100755 index 0000000000..a094785089 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/fields/fields.yml @@ -0,0 +1,19 @@ +- name: cisco_duo.admin + type: group + fields: + - name: action + type: keyword + description: | + The type of change that was performed + - name: action_performed_on + type: keyword + description: | + The object that was acted on. + - name: user.name + type: keyword + description: | + The full name of the administrator who performed the action in the Duo Admin Panel. + - name: flattened + type: flattened + description: | + ES flattened datatype for objects where the subfields aren't known in advance. diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/manifest.yml b/packages/cisco_duo/1.2.2/data_stream/admin/manifest.yml new file mode 100755 index 0000000000..8e05f5dd5f --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Cisco Duo administrator logs +streams: + - input: httpjson + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_duo-admin + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Cisco Duo administrator logs + description: Collect Cisco Duo administrator logs diff --git a/packages/cisco_duo/1.2.2/data_stream/admin/sample_event.json b/packages/cisco_duo/1.2.2/data_stream/admin/sample_event.json new file mode 100755 index 0000000000..6c70009ed5 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/admin/sample_event.json @@ -0,0 +1,54 @@ +{ + "@timestamp": "2021-07-20T11:41:31.000Z", + "agent": { + "ephemeral_id": "d5c469ec-2802-48c4-9828-95a1a38a3d57", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "admin": { + "action": "activation_begin", + "user": { + "name": "narroway" + } + } + }, + "data_stream": { + "dataset": "cisco_duo.admin", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "activation_begin", + "agent_id_status": "verified", + "created": "2021-12-29T09:39:10.869Z", + "dataset": "cisco_duo.admin", + "ingested": "2021-12-29T09:39:11Z", + "kind": "event", + "original": "{\"action\":\"activation_begin\",\"description\":\"Starting activation process\",\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", + "outcome": "success", + "reason": "Starting activation process" + }, + "input": { + "type": "httpjson" + }, + "message": "Starting activation process", + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-admin" + ], + "user": { + "name": "narroway" + } +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.2.2/data_stream/auth/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..254a2b4226 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/agent/stream/httpjson.yml.hbs @@ -0,0 +1,43 @@ +config_version: 2 +interval: {{interval}} +request.method: GET +request.url: {{hostname}}/admin/v2/logs/authentication +request.transforms: + - set: + target: url.params.limit + value: 1000 + - set: + target: url.params.sort + value: ts:asc + - set: + target: url.params.mintime + value: '[[.cursor.last_published]]' + default: '[[div (((now (parseDuration "-2m")).Add (parseDuration "-{{interval}}")).UnixNano) 1e6]]' + - set: + target: url.params.maxtime + value: '[[div ((now (parseDuration "-2m")).UnixNano) 1e6]]' + - set: + target: header.Date + value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]' + - set: + target: header.Authorization + value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v2/logs/authentication" "\n" .url.RawQuery)))]]' +response.split: + target: body.response.authlogs +cursor: + last_published: + value: '[[mul (toInt .last_event.timestamp) 1000]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.2.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..ca465ae741 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,356 @@ +--- +description: Pipeline for parsing cisco_duo authentication logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.timestamp + - json.txid + target_field: _id + ignore_missing: true + - date: + field: json.timestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - UNIX + - set: + field: event.category + value: authentication + - set: + field: event.kind + value: event + - set: + field: event.outcome + value: failure + - set: + field: event.outcome + value: success + if: ctx?.json?.result == "success" + - set: + field: event.type + value: info + - set: + field: event.reason + copy_from: json.reason + ignore_failure: true + - set: + field: source.address + copy_from: json.access_device.ip + - grok: + field: json.access_device.ip + patterns: + - "^%{IPV4:json.access_device.ip}:%{PORT:json.access_device.port}$" + - "^\\[%{IPV6:json.access_device.ip}\\]:%{PORT:json.access_device.port}$" + - "^%{IPV6NOCOMPRESS:json.access_device.ip}:%{PORT:json.access_device.port}$" + - "^%{IPV6:json.access_device.ip}%{IPV6PORTSEP}%{PORT:json.access_device.port}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' + ignore_missing: true + ignore_failure: true + - convert: + field: json.access_device.ip + type: ip + ignore_missing: true + - convert: + field: json.access_device.port + type: long + ignore_missing: true + - set: + field: source.ip + copy_from: json.access_device.ip + ignore_failure: true + - set: + field: source.port + copy_from: json.access_device.port + ignore_failure: true + - grok: + field: json.auth_device.ip + patterns: + - "^%{IPV4:json.auth_device.ip}:%{PORT:json.auth_device.port}$" + - "^\\[%{IPV6:json.auth_device.ip}\\]:%{PORT:json.auth_device.port}$" + - "^%{IPV6NOCOMPRESS:json.auth_device.ip}:%{PORT:json.auth_device.port}$" + - "^%{IPV6:json.auth_device.ip}%{IPV6PORTSEP}%{PORT:json.auth_device.port}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' + ignore_missing: true + ignore_failure: true + - convert: + field: json.auth_device.ip + type: ip + ignore_missing: true + - convert: + field: json.auth_device.port + type: long + ignore_missing: true + - set: + field: source.address + copy_from: json.access_device.hostname + if: ctx?.json?.access_device?.hostname != null + - set: + field: source.user.email + copy_from: json.email + ignore_failure: true + - set: + field: source.user.id + copy_from: json.user.key + ignore_failure: true + - set: + field: source.user.name + copy_from: json.user.name + ignore_failure: true + - rename: + field: json.user.groups + target_field: source.user.group.name + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - geoip: + field: json.auth_device.ip + target_field: cisco_duo.auth.auth_device.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: json.auth_device.ip + target_field: cisco_duo.auth.auth_device.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: cisco_duo.auth.auth_device.as.asn + target_field: cisco_duo.auth.auth_device.as.number + ignore_missing: true + - rename: + field: cisco_duo.auth.auth_device.as.organization_name + target_field: cisco_duo.auth.auth_device.as.organization.name + ignore_missing: true + - set: + field: user.email + copy_from: json.email + ignore_failure: true + - set: + field: user.name + copy_from: json.user.name + ignore_failure: true + - set: + field: user.id + copy_from: json.user.key + ignore_failure: true + - set: + field: user_agent.name + copy_from: json.access_device.browser + ignore_failure: true + - set: + field: user_agent.version + copy_from: json.access_device.browser_version + ignore_failure: true + - set: + field: user_agent.os.name + copy_from: json.access_device.os + ignore_failure: true + - set: + field: user_agent.os.version + copy_from: json.access_device.os_version + ignore_failure: true + - rename: + field: json.email + target_field: cisco_duo.auth.email + ignore_missing: true + - rename: + field: json.event_type + target_field: cisco_duo.auth.event_type + ignore_missing: true + - rename: + field: json.factor + target_field: cisco_duo.auth.factor + ignore_missing: true + - rename: + field: json.ood_software + target_field: cisco_duo.auth.ood_software + ignore_missing: true + - rename: + field: json.reason + target_field: cisco_duo.auth.reason + ignore_missing: true + - rename: + field: json.result + target_field: cisco_duo.auth.result + ignore_missing: true + - rename: + field: json.txid + target_field: cisco_duo.auth.txid + ignore_missing: true + - rename: + field: json.alias + target_field: cisco_duo.auth.alias + ignore_missing: true + - rename: + field: json.access_device.flash_version + target_field: cisco_duo.auth.access_device.flash_version + ignore_missing: true + - rename: + field: json.access_device.hostname + target_field: cisco_duo.auth.access_device.hostname + if: ctx?.json?.access_device?.hostname != null + - rename: + field: json.access_device.ip + target_field: cisco_duo.auth.access_device.ip + ignore_missing: true + - rename: + field: json.access_device.port + target_field: cisco_duo.auth.access_device.port + ignore_missing: true + - rename: + field: json.access_device.is_encryption_enabled + target_field: cisco_duo.auth.access_device.is_encryption_enabled + ignore_missing: true + - convert: + field: cisco_duo.auth.access_device.is_encryption_enabled + type: string + ignore_failure: true + - rename: + field: json.access_device.is_firewall_enabled + target_field: cisco_duo.auth.access_device.is_firewall_enabled + ignore_missing: true + - convert: + field: cisco_duo.auth.access_device.is_firewall_enabled + type: string + ignore_failure: true + - rename: + field: json.access_device.is_password_set + target_field: cisco_duo.auth.access_device.is_password_set + ignore_missing: true + - convert: + field: cisco_duo.auth.access_device.is_password_set + type: string + ignore_failure: true + - rename: + field: json.access_device.java_version + target_field: cisco_duo.auth.access_device.java_version + ignore_missing: true + - rename: + field: json.access_device.location.city + target_field: cisco_duo.auth.access_device.location.city + ignore_missing: true + - rename: + field: json.access_device.location.country + target_field: cisco_duo.auth.access_device.location.country + ignore_missing: true + - rename: + field: json.access_device.location.state + target_field: cisco_duo.auth.access_device.location.state + ignore_missing: true + - rename: + field: json.access_device.security_agents + target_field: cisco_duo.auth.access_device.security_agents + ignore_missing: true + - rename: + field: json.application.key + target_field: cisco_duo.auth.application.key + ignore_missing: true + - rename: + field: json.application.name + target_field: cisco_duo.auth.application.name + ignore_missing: true + - rename: + field: json.auth_device.ip + target_field: cisco_duo.auth.auth_device.ip + ignore_missing: true + - rename: + field: json.auth_device.port + target_field: cisco_duo.auth.auth_device.port + ignore_missing: true + - rename: + field: json.auth_device.location.city + target_field: cisco_duo.auth.auth_device.location.city + ignore_missing: true + - rename: + field: json.auth_device.location.country + target_field: cisco_duo.auth.auth_device.location.country + ignore_missing: true + - rename: + field: json.auth_device.location.state + target_field: cisco_duo.auth.auth_device.location.state + ignore_missing: true + - rename: + field: json.auth_device.name + target_field: cisco_duo.auth.auth_device.name + ignore_missing: true + - rename: + field: json.trusted_endpoint_status + target_field: cisco_duo.auth.trusted_endpoint_status + ignore_missing: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{cisco_duo.auth.auth_device.ip}}}" + if: ctx?.cisco_duo?.auth?.auth_device?.ip != null + allow_duplicates: false + ignore_failure: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/fields/agent.yml b/packages/cisco_duo/1.2.2/data_stream/auth/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/fields/base-fields.yml b/packages/cisco_duo/1.2.2/data_stream/auth/fields/base-fields.yml new file mode 100755 index 0000000000..7ca807eb7c --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_duo +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_duo.auth +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/fields/ecs.yml b/packages/cisco_duo/1.2.2/data_stream/auth/fields/ecs.yml new file mode 100755 index 0000000000..a452e76d47 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/fields/ecs.yml @@ -0,0 +1,151 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. + For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. + If no validation is performed then the field should be omitted. + The allowed values are: + `verified` - The `agent.id` field value matches expected value obtained from auth metadata. + `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. + `missing` - There was no `agent.id` field in the event to validate. + `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. + name: event.agent_id_status + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/fields/fields.yml b/packages/cisco_duo/1.2.2/data_stream/auth/fields/fields.yml new file mode 100755 index 0000000000..7b0d5b6786 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/fields/fields.yml @@ -0,0 +1,162 @@ +- name: cisco_duo.auth + type: group + fields: + - name: email + type: keyword + description: | + The email address of the user, if known to Duo, otherwise none. + - name: event_type + type: keyword + description: | + The type of activity logged. + - name: factor + type: keyword + description: | + The authentication factor. + - name: ood_software + type: keyword + description: | + If authentication was denied due to out-of-date software, shows the name of the software. + - name: reason + type: keyword + description: | + Provide the reason for the authentication attempt result. + - name: result + type: keyword + description: | + The result of the authentication attempt. + - name: trusted_endpoint_status + type: keyword + description: | + Status of Trusted Endpoint. + - name: txid + type: keyword + description: | + The transaction ID of the event. + - name: alias + type: keyword + description: | + The username alias used to log in. + - name: access_device + type: group + fields: + - name: flash_version + type: keyword + description: | + The Flash plugin version used, if present. + - name: hostname + type: keyword + description: | + The hostname, if present. + - name: ip + type: ip + description: | + The access device's IP address. + - name: port + type: long + description: | + The access device's port number. + - name: is_encryption_enabled + type: keyword + description: | + Reports the disk encryption state as detected by the Duo Device Health app. + - name: is_firewall_enabled + type: keyword + description: | + Reports the firewall state as detected by the Duo Device Health app. + - name: is_password_set + type: keyword + description: | + Reports the system password state as detected by the Duo Device Health app + - name: java_version + type: keyword + description: | + The Java plugin version used. + - name: location + type: group + fields: + - name: city + type: keyword + description: | + The city name of the access device using geoip location. + - name: country + type: keyword + description: | + The country of the access device using geoip location. + - name: state + type: keyword + description: | + The state name of the access device using geoip location. + - name: security_agents + type: keyword + description: | + Reports the security agents present on the endpoint as detected by the Duo Device Health app. + - name: application + type: group + fields: + - name: key + type: keyword + description: | + The application's integration_key. + - name: name + type: keyword + description: | + The application's name. + - name: auth_device + type: group + fields: + - name: ip + type: ip + description: | + The IP address of the authentication device. + - name: port + type: long + description: | + The network port of the authentication device. + - name: location + type: group + fields: + - name: city + type: keyword + description: | + The city name of the authentication device using geoip location. + - name: country + type: keyword + description: | + The country of the authentication device using geoip location. + - name: state + type: keyword + description: | + The state name of the authentication device using geoip location. + - name: as.number + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + - name: as.organization.name + type: keyword + description: Organization name. + - name: geo.city_name + type: keyword + description: City name. + - name: geo.continent_name + type: keyword + description: Name of the continent. + - name: geo.country_iso_code + type: keyword + description: Country ISO code. + - name: geo.country_name + type: keyword + description: Country name. + - name: geo.location + type: geo_point + level: core + description: Longitude and latitude. + - name: geo.region_iso_code + type: keyword + description: Region ISO code. + - name: geo.region_name + type: keyword + description: Region name. + - name: name + type: keyword + description: | + The name of the authentication device. diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/manifest.yml b/packages/cisco_duo/1.2.2/data_stream/auth/manifest.yml new file mode 100755 index 0000000000..5e503233c2 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Cisco Duo authentication logs +streams: + - input: httpjson + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_duo-auth + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Cisco Duo authentication logs + description: Collect Cisco Duo authentication logs diff --git a/packages/cisco_duo/1.2.2/data_stream/auth/sample_event.json b/packages/cisco_duo/1.2.2/data_stream/auth/sample_event.json new file mode 100755 index 0000000000..9ee539726e --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/auth/sample_event.json @@ -0,0 +1,132 @@ +{ + "@timestamp": "2020-02-13T18:56:20.000Z", + "agent": { + "ephemeral_id": "af742618-01e6-4406-b573-aab628bfa898", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "89.160.20.156", + "is_encryption_enabled": "true", + "is_firewall_enabled": "true", + "is_password_set": "true", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + } + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Microsoft Azure Active Directory" + }, + "auth_device": { + "ip": "192.168.225.254", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "My iPhone X (734-555-2342)" + }, + "email": "narroway@example.com", + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_approved", + "result": "success", + "trusted_endpoint_status": "not trusted", + "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb" + } + }, + "data_stream": { + "dataset": "cisco_duo.auth", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "category": "authentication", + "created": "2021-12-29T09:39:46.431Z", + "dataset": "cisco_duo.auth", + "ingested": "2021-12-29T09:39:47Z", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", + "outcome": "success", + "reason": "user_approved", + "type": "info" + }, + "input": { + "type": "httpjson" + }, + "related": { + "ip": [ + "89.160.20.156", + "192.168.225.254" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "user": { + "email": "narroway@example.com", + "group": { + "name": [ + "Duo Users", + "CorpHQ Users" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway@example.com" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-auth" + ], + "user": { + "email": "narroway@example.com", + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway@example.com" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Mac OS X", + "version": "10.14.1" + }, + "version": "67.0.3396.99" + } +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..e293caac5a --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/agent/stream/httpjson.yml.hbs @@ -0,0 +1,34 @@ +config_version: 2 +interval: {{interval}} +request.method: GET +request.url: {{hostname}}/admin/v1/logs/offline_enrollment +request.transforms: + - set: + target: url.params.mintime + value: '[[.cursor.last_published]]' + default: '[[((now (parseDuration "-2m")).Add (parseDuration "-{{interval}}")).Unix]]' + - set: + target: header.Date + value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]' + - set: + target: header.Authorization + value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/logs/offline_enrollment" "\n" .url.RawQuery)))]]' +response.split: + target: body.response +cursor: + last_published: + value: '[[toInt .last_event.timestamp]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..929f83a3ff --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,75 @@ +--- +description: Pipeline for parsing cisco_duo offline enrollment logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.timestamp + - json.action + - json.description + - json.object + - json.username + target_field: _id + ignore_missing: true + - date: + field: json.timestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - UNIX + - json: + field: json.description + target_field: json_description + ignore_failure: true + - set: + field: user.name + copy_from: json.username + ignore_failure: true + - rename: + field: json.action + target_field: cisco_duo.offline_enrollment.action + ignore_missing: true + - rename: + field: json_description.hostname + target_field: cisco_duo.offline_enrollment.description.hostname + ignore_missing: true + - rename: + field: json_description.user_agent + target_field: cisco_duo.offline_enrollment.description.user_agent + ignore_missing: true + - rename: + field: json_description.factor + target_field: cisco_duo.offline_enrollment.description.factor + ignore_missing: true + - rename: + field: json.object + target_field: cisco_duo.offline_enrollment.object + ignore_missing: true + - rename: + field: json.username + target_field: cisco_duo.offline_enrollment.user.name + ignore_missing: true + - remove: + field: json + - remove: + field: json_description + if: ctx?.json_description != null + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/agent.yml b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/base-fields.yml b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/base-fields.yml new file mode 100755 index 0000000000..09ab334566 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_duo +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_duo.offline_enrollment +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/ecs.yml b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/ecs.yml new file mode 100755 index 0000000000..8196a41fe8 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/ecs.yml @@ -0,0 +1,28 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/fields.yml b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/fields.yml new file mode 100755 index 0000000000..d651a89f6a --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/fields/fields.yml @@ -0,0 +1,27 @@ +- name: cisco_duo.offline_enrollment + type: group + fields: + - name: action + type: keyword + description: | + The offline enrollment operation + - name: description.hostname + type: keyword + description: | + The host name of the system where Duo Windows Logon is installed. + - name: description.user_agent + type: keyword + description: | + The Duo Windows Logon application version information and the Windows OS version and platform information. + - name: description.factor + type: keyword + description: | + The type of authenticator used for offline access. + - name: object + type: keyword + description: | + The Duo Windows Logon integration's name. + - name: user.name + type: keyword + description: | + The Duo username diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/manifest.yml b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/manifest.yml new file mode 100755 index 0000000000..f36d248b6c --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Cisco Duo offline enrollment logs +streams: + - input: httpjson + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_duo-offline_enrollment + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Cisco Duo offline enrollment logs + description: Collect Cisco Duo offline enrollment logs diff --git a/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/sample_event.json b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/sample_event.json new file mode 100755 index 0000000000..9a3e3e3eca --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/offline_enrollment/sample_event.json @@ -0,0 +1,55 @@ +{ + "@timestamp": "2019-08-30T16:10:05.000Z", + "agent": { + "ephemeral_id": "3470fbe5-8d73-49db-8555-7e5f4cfd8504", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "offline_enrollment": { + "action": "o2fa_user_provisioned", + "description": { + "factor": "duo_otp", + "hostname": "WKSW10x64", + "user_agent": "DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)" + }, + "object": "Acme Laptop Windows Logon", + "user": { + "name": "narroway" + } + } + }, + "data_stream": { + "dataset": "cisco_duo.offline_enrollment", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "created": "2021-12-29T09:40:24.650Z", + "dataset": "cisco_duo.offline_enrollment", + "ingested": "2021-12-29T09:40:25Z", + "original": "{\"action\":\"o2fa_user_provisioned\",\"description\":\"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\":\"2019-08-30T16:10:05+00:00\",\"object\":\"Acme Laptop Windows Logon\",\"timestamp\":1567181405,\"username\":\"narroway\"}" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-offline_enrollment" + ], + "user": { + "name": "narroway" + } +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.2.2/data_stream/summary/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0bd9565680 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/agent/stream/httpjson.yml.hbs @@ -0,0 +1,25 @@ +config_version: 2 +interval: {{interval}} +request.method: GET +request.url: {{hostname}}/admin/v1/info/summary +request.transforms: + - set: + target: header.Date + value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]' + - set: + target: header.Authorization + value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/info/summary" "\n")))]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.2.2/data_stream/summary/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..89fe7b8801 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,40 @@ +--- +description: Pipeline for parsing cisco_duo summary logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - set: + field: "@timestamp" + value: "{{{_ingest.timestamp}}}" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - rename: + field: json.response.admin_count + target_field: cisco_duo.summary.admin_count + - rename: + field: json.response.integration_count + target_field: cisco_duo.summary.integration_count + - rename: + field: json.response.telephony_credits_remaining + target_field: cisco_duo.summary.telephony_credits_remaining + - rename: + field: json.response.user_count + target_field: cisco_duo.summary.user_count + - remove: + field: json + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/fields/agent.yml b/packages/cisco_duo/1.2.2/data_stream/summary/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/fields/base-fields.yml b/packages/cisco_duo/1.2.2/data_stream/summary/fields/base-fields.yml new file mode 100755 index 0000000000..28715de5b4 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_duo +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_duo.summary +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/fields/ecs.yml b/packages/cisco_duo/1.2.2/data_stream/summary/fields/ecs.yml new file mode 100755 index 0000000000..27c12f2f15 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/fields/ecs.yml @@ -0,0 +1,22 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/fields/fields.yml b/packages/cisco_duo/1.2.2/data_stream/summary/fields/fields.yml new file mode 100755 index 0000000000..1c312f69e3 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/fields/fields.yml @@ -0,0 +1,19 @@ +- name: cisco_duo.summary + type: group + fields: + - name: admin_count + type: integer + description: | + Current number of admins in the account. + - name: integration_count + type: integer + description: | + Current number of integrations in the account. + - name: telephony_credits_remaining + type: integer + description: | + Current total number of telephony credits available in the account. This is the sum of all types of telephony credits. + - name: user_count + type: integer + description: | + Current number of users in the account. diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/manifest.yml b/packages/cisco_duo/1.2.2/data_stream/summary/manifest.yml new file mode 100755 index 0000000000..a76e61ce40 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Cisco Duo summary logs +streams: + - input: httpjson + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_duo-summary + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Cisco Duo summary logs + description: Collect Cisco Duo summary logs diff --git a/packages/cisco_duo/1.2.2/data_stream/summary/sample_event.json b/packages/cisco_duo/1.2.2/data_stream/summary/sample_event.json new file mode 100755 index 0000000000..21d5e9a30f --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/summary/sample_event.json @@ -0,0 +1,46 @@ +{ + "@timestamp": "2021-12-29T09:41:01.807330132Z", + "agent": { + "ephemeral_id": "88177cd0-9798-45a3-86b1-48ab8de2fe35", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "summary": { + "admin_count": 3, + "integration_count": 9, + "telephony_credits_remaining": 960, + "user_count": 8 + } + }, + "data_stream": { + "dataset": "cisco_duo.summary", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "created": "2021-12-29T09:41:00.695Z", + "dataset": "cisco_duo.summary", + "ingested": "2021-12-29T09:41:01Z", + "original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-summary" + ] +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.2.2/data_stream/telephony/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..f6b939bffb --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/agent/stream/httpjson.yml.hbs @@ -0,0 +1,34 @@ +config_version: 2 +interval: {{interval}} +request.method: GET +request.url: {{hostname}}/admin/v1/logs/telephony +request.transforms: + - set: + target: url.params.mintime + value: '[[.cursor.last_published]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: header.Date + value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]' + - set: + target: header.Authorization + value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/logs/telephony" "\n" .url.RawQuery)))]]' +response.split: + target: body.response +cursor: + last_published: + value: '[[toInt .last_event.timestamp]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.2.2/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..652f4fc4ff --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for parsing cisco_duo telephony logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - set: + field: event.kind + value: event + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.timestamp + - json.phone + - json.context + - json.type + target_field: _id + ignore_missing: true + - date: + field: json.timestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - UNIX + - rename: + field: json.context + target_field: cisco_duo.telephony.event_type + ignore_missing: true + - rename: + field: json.credits + target_field: cisco_duo.telephony.credits + ignore_missing: true + - rename: + field: json.phone + target_field: cisco_duo.telephony.phone_number + ignore_missing: true + - rename: + field: json.type + target_field: cisco_duo.telephony.type + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/fields/agent.yml b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/fields/base-fields.yml b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/base-fields.yml new file mode 100755 index 0000000000..e63ba8b443 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_duo +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_duo.telephony +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/fields/ecs.yml b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/ecs.yml new file mode 100755 index 0000000000..df1220f07b --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/ecs.yml @@ -0,0 +1,28 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/fields/fields.yml b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/fields.yml new file mode 100755 index 0000000000..8d6f259a10 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/fields/fields.yml @@ -0,0 +1,19 @@ +- name: cisco_duo.telephony + type: group + fields: + - name: event_type + type: keyword + description: | + How this telephony event was initiated. + - name: credits + type: integer + description: | + How many telephony credits this event cost. + - name: phone_number + type: keyword + description: | + The phone number that initiated this event. + - name: type + type: keyword + description: | + This type of telephony Event. diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/manifest.yml b/packages/cisco_duo/1.2.2/data_stream/telephony/manifest.yml new file mode 100755 index 0000000000..f8555c13a8 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Cisco Duo telephony logs +streams: + - input: httpjson + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_duo-telephony + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Cisco Duo telephony logs + description: Collect Cisco Duo telephony logs diff --git a/packages/cisco_duo/1.2.2/data_stream/telephony/sample_event.json b/packages/cisco_duo/1.2.2/data_stream/telephony/sample_event.json new file mode 100755 index 0000000000..54bd428fb2 --- /dev/null +++ b/packages/cisco_duo/1.2.2/data_stream/telephony/sample_event.json @@ -0,0 +1,47 @@ +{ + "@timestamp": "2020-03-20T15:38:12.000Z", + "agent": { + "ephemeral_id": "42a4e3b7-2d15-41a9-9b9c-2f2d1a4ae179", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "telephony": { + "credits": 1, + "event_type": "authentication", + "phone_number": "+121234512345", + "type": "sms" + } + }, + "data_stream": { + "dataset": "cisco_duo.telephony", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "created": "2021-12-29T09:41:39.239Z", + "dataset": "cisco_duo.telephony", + "ingested": "2021-12-29T09:41:40Z", + "kind": "event", + "original": "{\"context\":\"authentication\",\"credits\":1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-telephony" + ] +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/docs/README.md b/packages/cisco_duo/1.2.2/docs/README.md new file mode 100755 index 0000000000..82a4b95916 --- /dev/null +++ b/packages/cisco_duo/1.2.2/docs/README.md @@ -0,0 +1,755 @@ +# Cisco Duo + +The Cisco Duo integration collects and parses data from the [Cisco Duo Admin APIs](https://duo.com/docs/adminapi). + +## Compatibility + +This module has been tested against Cisco Duo `Core Authentication Service: D224.13` and `Admin Panel: D224.18` + +## Requirements + +In order to ingest data from the Cisco Duo Admin API you must: +- Have a the Cisco Duo administrator account with **Owner** role [Sign up](https://signup.duo.com/) +- Sign in to [Duo Admin Panel](https://admin.duosecurity.com/) +- Go through following tabs **Application > Protect an Application > Admin API > Protect** +- Now you will find your **Hostname**, **Integration key** and **Secret key** which will be required while configuring the integration package. +- For this integration you will require **Grant read information** and **Grant read log** permissions. +- Make sure you have whitelisted your IP Address. + +## Note + +While setting up the interval take care of following. +- `Interval has to be greater than 1m.` +- `Larger values of interval might cause delay in data ingestion.` + +## Logs + +### Administrator + +This is the `admin` dataset. + +An example event for `admin` looks as following: + +```json +{ + "@timestamp": "2021-07-20T11:41:31.000Z", + "agent": { + "ephemeral_id": "d5c469ec-2802-48c4-9828-95a1a38a3d57", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "admin": { + "action": "activation_begin", + "user": { + "name": "narroway" + } + } + }, + "data_stream": { + "dataset": "cisco_duo.admin", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "activation_begin", + "agent_id_status": "verified", + "created": "2021-12-29T09:39:10.869Z", + "dataset": "cisco_duo.admin", + "ingested": "2021-12-29T09:39:11Z", + "kind": "event", + "original": "{\"action\":\"activation_begin\",\"description\":\"Starting activation process\",\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", + "outcome": "success", + "reason": "Starting activation process" + }, + "input": { + "type": "httpjson" + }, + "message": "Starting activation process", + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-admin" + ], + "user": { + "name": "narroway" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_duo.admin.action | The type of change that was performed | keyword | +| cisco_duo.admin.action_performed_on | The object that was acted on. | keyword | +| cisco_duo.admin.flattened | ES flattened datatype for objects where the subfields aren't known in advance. | flattened | +| cisco_duo.admin.user.name | The full name of the administrator who performed the action in the Duo Admin Panel. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + + +### Authentication + +This is the `auth` dataset. + +An example event for `auth` looks as following: + +```json +{ + "@timestamp": "2020-02-13T18:56:20.000Z", + "agent": { + "ephemeral_id": "af742618-01e6-4406-b573-aab628bfa898", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "auth": { + "access_device": { + "flash_version": "uninstalled", + "ip": "89.160.20.156", + "is_encryption_enabled": "true", + "is_firewall_enabled": "true", + "is_password_set": "true", + "java_version": "uninstalled", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + } + }, + "application": { + "key": "DIY231J8BR23QK4UKBY8", + "name": "Microsoft Azure Active Directory" + }, + "auth_device": { + "ip": "192.168.225.254", + "location": { + "city": "Ann Arbor", + "country": "United States", + "state": "Michigan" + }, + "name": "My iPhone X (734-555-2342)" + }, + "email": "narroway@example.com", + "event_type": "authentication", + "factor": "duo_push", + "reason": "user_approved", + "result": "success", + "trusted_endpoint_status": "not trusted", + "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb" + } + }, + "data_stream": { + "dataset": "cisco_duo.auth", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "category": "authentication", + "created": "2021-12-29T09:39:46.431Z", + "dataset": "cisco_duo.auth", + "ingested": "2021-12-29T09:39:47Z", + "kind": "event", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", + "outcome": "success", + "reason": "user_approved", + "type": "info" + }, + "input": { + "type": "httpjson" + }, + "related": { + "ip": [ + "89.160.20.156", + "192.168.225.254" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "user": { + "email": "narroway@example.com", + "group": { + "name": [ + "Duo Users", + "CorpHQ Users" + ] + }, + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway@example.com" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-auth" + ], + "user": { + "email": "narroway@example.com", + "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway@example.com" + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Mac OS X", + "version": "10.14.1" + }, + "version": "67.0.3396.99" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_duo.auth.access_device.flash_version | The Flash plugin version used, if present. | keyword | +| cisco_duo.auth.access_device.hostname | The hostname, if present. | keyword | +| cisco_duo.auth.access_device.ip | The access device's IP address. | ip | +| cisco_duo.auth.access_device.is_encryption_enabled | Reports the disk encryption state as detected by the Duo Device Health app. | keyword | +| cisco_duo.auth.access_device.is_firewall_enabled | Reports the firewall state as detected by the Duo Device Health app. | keyword | +| cisco_duo.auth.access_device.is_password_set | Reports the system password state as detected by the Duo Device Health app | keyword | +| cisco_duo.auth.access_device.java_version | The Java plugin version used. | keyword | +| cisco_duo.auth.access_device.location.city | The city name of the access device using geoip location. | keyword | +| cisco_duo.auth.access_device.location.country | The country of the access device using geoip location. | keyword | +| cisco_duo.auth.access_device.location.state | The state name of the access device using geoip location. | keyword | +| cisco_duo.auth.access_device.port | The access device's port number. | long | +| cisco_duo.auth.access_device.security_agents | Reports the security agents present on the endpoint as detected by the Duo Device Health app. | keyword | +| cisco_duo.auth.alias | The username alias used to log in. | keyword | +| cisco_duo.auth.application.key | The application's integration_key. | keyword | +| cisco_duo.auth.application.name | The application's name. | keyword | +| cisco_duo.auth.auth_device.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| cisco_duo.auth.auth_device.as.organization.name | Organization name. | keyword | +| cisco_duo.auth.auth_device.geo.city_name | City name. | keyword | +| cisco_duo.auth.auth_device.geo.continent_name | Name of the continent. | keyword | +| cisco_duo.auth.auth_device.geo.country_iso_code | Country ISO code. | keyword | +| cisco_duo.auth.auth_device.geo.country_name | Country name. | keyword | +| cisco_duo.auth.auth_device.geo.location | Longitude and latitude. | geo_point | +| cisco_duo.auth.auth_device.geo.region_iso_code | Region ISO code. | keyword | +| cisco_duo.auth.auth_device.geo.region_name | Region name. | keyword | +| cisco_duo.auth.auth_device.ip | The IP address of the authentication device. | ip | +| cisco_duo.auth.auth_device.location.city | The city name of the authentication device using geoip location. | keyword | +| cisco_duo.auth.auth_device.location.country | The country of the authentication device using geoip location. | keyword | +| cisco_duo.auth.auth_device.location.state | The state name of the authentication device using geoip location. | keyword | +| cisco_duo.auth.auth_device.name | The name of the authentication device. | keyword | +| cisco_duo.auth.auth_device.port | The network port of the authentication device. | long | +| cisco_duo.auth.email | The email address of the user, if known to Duo, otherwise none. | keyword | +| cisco_duo.auth.event_type | The type of activity logged. | keyword | +| cisco_duo.auth.factor | The authentication factor. | keyword | +| cisco_duo.auth.ood_software | If authentication was denied due to out-of-date software, shows the name of the software. | keyword | +| cisco_duo.auth.reason | Provide the reason for the authentication attempt result. | keyword | +| cisco_duo.auth.result | The result of the authentication attempt. | keyword | +| cisco_duo.auth.trusted_endpoint_status | Status of Trusted Endpoint. | keyword | +| cisco_duo.auth.txid | The transaction ID of the event. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| related.ip | All of the IPs seen on your event. | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| source.user.email | User email address. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +### Offline Enrollment + +This is the `offline_enrollment` dataset. + +An example event for `offline_enrollment` looks as following: + +```json +{ + "@timestamp": "2019-08-30T16:10:05.000Z", + "agent": { + "ephemeral_id": "3470fbe5-8d73-49db-8555-7e5f4cfd8504", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "offline_enrollment": { + "action": "o2fa_user_provisioned", + "description": { + "factor": "duo_otp", + "hostname": "WKSW10x64", + "user_agent": "DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)" + }, + "object": "Acme Laptop Windows Logon", + "user": { + "name": "narroway" + } + } + }, + "data_stream": { + "dataset": "cisco_duo.offline_enrollment", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "created": "2021-12-29T09:40:24.650Z", + "dataset": "cisco_duo.offline_enrollment", + "ingested": "2021-12-29T09:40:25Z", + "original": "{\"action\":\"o2fa_user_provisioned\",\"description\":\"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\":\"2019-08-30T16:10:05+00:00\",\"object\":\"Acme Laptop Windows Logon\",\"timestamp\":1567181405,\"username\":\"narroway\"}" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-offline_enrollment" + ], + "user": { + "name": "narroway" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_duo.offline_enrollment.action | The offline enrollment operation | keyword | +| cisco_duo.offline_enrollment.description.factor | The type of authenticator used for offline access. | keyword | +| cisco_duo.offline_enrollment.description.hostname | The host name of the system where Duo Windows Logon is installed. | keyword | +| cisco_duo.offline_enrollment.description.user_agent | The Duo Windows Logon application version information and the Windows OS version and platform information. | keyword | +| cisco_duo.offline_enrollment.object | The Duo Windows Logon integration's name. | keyword | +| cisco_duo.offline_enrollment.user.name | The Duo username | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| tags | List of keywords used to tag each event. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +### Summary + +This is the `summary` dataset. + +An example event for `summary` looks as following: + +```json +{ + "@timestamp": "2021-12-29T09:41:01.807330132Z", + "agent": { + "ephemeral_id": "88177cd0-9798-45a3-86b1-48ab8de2fe35", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "summary": { + "admin_count": 3, + "integration_count": 9, + "telephony_credits_remaining": 960, + "user_count": 8 + } + }, + "data_stream": { + "dataset": "cisco_duo.summary", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "created": "2021-12-29T09:41:00.695Z", + "dataset": "cisco_duo.summary", + "ingested": "2021-12-29T09:41:01Z", + "original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-summary" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_duo.summary.admin_count | Current number of admins in the account. | integer | +| cisco_duo.summary.integration_count | Current number of integrations in the account. | integer | +| cisco_duo.summary.telephony_credits_remaining | Current total number of telephony credits available in the account. This is the sum of all types of telephony credits. | integer | +| cisco_duo.summary.user_count | Current number of users in the account. | integer | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| tags | List of keywords used to tag each event. | keyword | + + +### Telephony + +This is the `telephony` dataset. + +An example event for `telephony` looks as following: + +```json +{ + "@timestamp": "2020-03-20T15:38:12.000Z", + "agent": { + "ephemeral_id": "42a4e3b7-2d15-41a9-9b9c-2f2d1a4ae179", + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco_duo": { + "telephony": { + "credits": 1, + "event_type": "authentication", + "phone_number": "+121234512345", + "type": "sms" + } + }, + "data_stream": { + "dataset": "cisco_duo.telephony", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "created": "2021-12-29T09:41:39.239Z", + "dataset": "cisco_duo.telephony", + "ingested": "2021-12-29T09:41:40Z", + "kind": "event", + "original": "{\"context\":\"authentication\",\"credits\":1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-telephony" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_duo.telephony.credits | How many telephony credits this event cost. | integer | +| cisco_duo.telephony.event_type | How this telephony event was initiated. | keyword | +| cisco_duo.telephony.phone_number | The phone number that initiated this event. | keyword | +| cisco_duo.telephony.type | This type of telephony Event. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cisco_duo/1.2.2/img/cisco_duo-logo.svg b/packages/cisco_duo/1.2.2/img/cisco_duo-logo.svg new file mode 100755 index 0000000000..ab30cd5b18 --- /dev/null +++ b/packages/cisco_duo/1.2.2/img/cisco_duo-logo.svg @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/cisco_duo/1.2.2/img/cisco_duo-screenshot.png b/packages/cisco_duo/1.2.2/img/cisco_duo-screenshot.png new file mode 100755 index 0000000000..1270f7f8cf Binary files /dev/null and b/packages/cisco_duo/1.2.2/img/cisco_duo-screenshot.png differ diff --git a/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..1e5bb38068 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "This dashboard shows summary logs collected by the Cisco Duo integration.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_duo.summary\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_duo.summary\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"3b33c381-80ab-4111-ab09-fcc73e3f9a0b\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"3b33c381-80ab-4111-ab09-fcc73e3f9a0b\",\"panelRefName\":\"panel_3b33c381-80ab-4111-ab09-fcc73e3f9a0b\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"e6ac6ace-57bd-4d11-b92b-a051cece0d4c\",\"w\":12,\"x\":0,\"y\":13},\"panelIndex\":\"e6ac6ace-57bd-4d11-b92b-a051cece0d4c\",\"panelRefName\":\"panel_e6ac6ace-57bd-4d11-b92b-a051cece0d4c\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"b31e0b4a-7166-421d-bb0a-e02cc3def401\",\"w\":12,\"x\":12,\"y\":13},\"panelIndex\":\"b31e0b4a-7166-421d-bb0a-e02cc3def401\",\"panelRefName\":\"panel_b31e0b4a-7166-421d-bb0a-e02cc3def401\",\"title\":\"[Cisco Duo] Integrations Count\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"85c0ed49-374f-448d-a9b4-88f4600d6ad8\",\"w\":12,\"x\":24,\"y\":13},\"panelIndex\":\"85c0ed49-374f-448d-a9b4-88f4600d6ad8\",\"panelRefName\":\"panel_85c0ed49-374f-448d-a9b4-88f4600d6ad8\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"80fb20e4-3445-450f-8b05-bcf29c015d7a\",\"w\":12,\"x\":36,\"y\":13},\"panelIndex\":\"80fb20e4-3445-450f-8b05-bcf29c015d7a\",\"panelRefName\":\"panel_80fb20e4-3445-450f-8b05-bcf29c015d7a\",\"type\":\"visualization\",\"version\":\"7.17.2\"}]", + "timeRestore": false, + "title": "[Cisco Duo] Summary Logs", + "version": 1 + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4", + "name": "3b33c381-80ab-4111-ab09-fcc73e3f9a0b:panel_3b33c381-80ab-4111-ab09-fcc73e3f9a0b", + "type": "visualization" + }, + { + "id": "cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4", + "name": "e6ac6ace-57bd-4d11-b92b-a051cece0d4c:panel_e6ac6ace-57bd-4d11-b92b-a051cece0d4c", + "type": "visualization" + }, + { + "id": "cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4", + "name": "b31e0b4a-7166-421d-bb0a-e02cc3def401:panel_b31e0b4a-7166-421d-bb0a-e02cc3def401", + "type": "visualization" + }, + { + "id": "cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4", + "name": "85c0ed49-374f-448d-a9b4-88f4600d6ad8:panel_85c0ed49-374f-448d-a9b4-88f4600d6ad8", + "type": "visualization" + }, + { + "id": "cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4", + "name": "80fb20e4-3445-450f-8b05-bcf29c015d7a:panel_80fb20e4-3445-450f-8b05-bcf29c015d7a", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..c34df2dfc1 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "This dashboard shows telephony logs collected by the Cisco Duo integration.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"4109bbba-072c-4f73-8530-39f86d6b732d\",\"w\":25,\"x\":0,\"y\":0},\"panelIndex\":\"4109bbba-072c-4f73-8530-39f86d6b732d\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"afbddd10-9ee9-4e14-b984-cf15e057b9ce\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"afbddd10-9ee9-4e14-b984-cf15e057b9ce\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd25e144-12c2-4668-ac09-eadf51b0acfb\",\"w\":25,\"x\":0,\"y\":18},\"panelIndex\":\"fd25e144-12c2-4668-ac09-eadf51b0acfb\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Cisco Duo] Telephony Logs", + "version": 1 + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4", + "name": "panel_2", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..b674b48107 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "description": "This dashboard shows authentication logs collected by the Cisco Duo integration.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_duo.auth\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_duo.auth\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":0.99},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"25031c05-54c2-4d92-a275-1fa3a2bdf399\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"25031c05-54c2-4d92-a275-1fa3a2bdf399\",\"panelRefName\":\"panel_25031c05-54c2-4d92-a275-1fa3a2bdf399\",\"type\":\"map\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Number of failed attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"cisco_duo.auth\\\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":false,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"orderBucketsBySum\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"5\",\"label\":\"Number of failed attempts\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Number of failed attempts\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":17,\"i\":\"14cc4daa-2411-4927-be9d-20fc287bd46f\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14cc4daa-2411-4927-be9d-20fc287bd46f\",\"panelRefName\":\"panel_14cc4daa-2411-4927-be9d-20fc287bd46f\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"988a5cf4-cba9-4437-9323-fe7f37e2beba\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"988a5cf4-cba9-4437-9323-fe7f37e2beba\",\"panelRefName\":\"panel_988a5cf4-cba9-4437-9323-fe7f37e2beba\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"410d1a65-1a7a-4680-95a9-1ecac80433b2\",\"w\":24,\"x\":0,\"y\":37},\"panelIndex\":\"410d1a65-1a7a-4680-95a9-1ecac80433b2\",\"panelRefName\":\"panel_410d1a65-1a7a-4680-95a9-1ecac80433b2\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"f56f5a11-3d30-4a6a-bdf1-0b32c7e26547\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"f56f5a11-3d30-4a6a-bdf1-0b32c7e26547\",\"panelRefName\":\"panel_f56f5a11-3d30-4a6a-bdf1-0b32c7e26547\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"90ee91c4-ebe8-4a2e-898b-e3492f302162\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"90ee91c4-ebe8-4a2e-898b-e3492f302162\",\"panelRefName\":\"panel_90ee91c4-ebe8-4a2e-898b-e3492f302162\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae\",\"panelRefName\":\"panel_d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2c3d7bcf-27ad-4fa0-9db2-a19282133333\",\"w\":24,\"x\":0,\"y\":71},\"panelIndex\":\"2c3d7bcf-27ad-4fa0-9db2-a19282133333\",\"panelRefName\":\"panel_2c3d7bcf-27ad-4fa0-9db2-a19282133333\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"cisco_duo.auth.access_device.is_firewall_enabled\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":17,\"i\":\"42f72b64-1bbf-49bd-909a-af8fcbc4c4e9\",\"w\":24,\"x\":24,\"y\":71},\"panelIndex\":\"42f72b64-1bbf-49bd-909a-af8fcbc4c4e9\",\"panelRefName\":\"panel_42f72b64-1bbf-49bd-909a-af8fcbc4c4e9\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.auth.access_device.is_password_set\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.auth\\\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"bbabe39a-d588-40c3-81d5-fcfe6448b0ff\",\"w\":24,\"x\":0,\"y\":88},\"panelIndex\":\"bbabe39a-d588-40c3-81d5-fcfe6448b0ff\",\"panelRefName\":\"panel_bbabe39a-d588-40c3-81d5-fcfe6448b0ff\",\"type\":\"visualization\",\"version\":\"7.17.2\"}]", + "timeRestore": false, + "title": "[Cisco Duo] Authentication Logs", + "version": 1 + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_duo-158c0e80-148c-11ec-9386-31989719f9db", + "name": "25031c05-54c2-4d92-a275-1fa3a2bdf399:panel_25031c05-54c2-4d92-a275-1fa3a2bdf399", + "type": "map" + }, + { + "id": "cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4", + "name": "14cc4daa-2411-4927-be9d-20fc287bd46f:panel_14cc4daa-2411-4927-be9d-20fc287bd46f", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "14cc4daa-2411-4927-be9d-20fc287bd46f:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14cc4daa-2411-4927-be9d-20fc287bd46f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4", + "name": "988a5cf4-cba9-4437-9323-fe7f37e2beba:panel_988a5cf4-cba9-4437-9323-fe7f37e2beba", + "type": "visualization" + }, + { + "id": "cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4", + "name": "410d1a65-1a7a-4680-95a9-1ecac80433b2:panel_410d1a65-1a7a-4680-95a9-1ecac80433b2", + "type": "visualization" + }, + { + "id": "cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4", + "name": "f56f5a11-3d30-4a6a-bdf1-0b32c7e26547:panel_f56f5a11-3d30-4a6a-bdf1-0b32c7e26547", + "type": "visualization" + }, + { + "id": "cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4", + "name": "90ee91c4-ebe8-4a2e-898b-e3492f302162:panel_90ee91c4-ebe8-4a2e-898b-e3492f302162", + "type": "visualization" + }, + { + "id": "cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4", + "name": "d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae:panel_d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae", + "type": "visualization" + }, + { + "id": "cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4", + "name": "2c3d7bcf-27ad-4fa0-9db2-a19282133333:panel_2c3d7bcf-27ad-4fa0-9db2-a19282133333", + "type": "visualization" + }, + { + "id": "cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4", + "name": "42f72b64-1bbf-49bd-909a-af8fcbc4c4e9:panel_42f72b64-1bbf-49bd-909a-af8fcbc4c4e9", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "42f72b64-1bbf-49bd-909a-af8fcbc4c4e9:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4", + "name": "bbabe39a-d588-40c3-81d5-fcfe6448b0ff:panel_bbabe39a-d588-40c3-81d5-fcfe6448b0ff", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "bbabe39a-d588-40c3-81d5-fcfe6448b0ff:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..ce7e1180e7 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/dashboard/cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "description": "This dashboard shows offline enrollment logs collected by the Cisco Duo integration.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_duo.offline_enrollment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_duo.offline_enrollment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9e1a3121-6df9-41a0-b167-3f837016650a\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"9e1a3121-6df9-41a0-b167-3f837016650a\",\"panelRefName\":\"panel_9e1a3121-6df9-41a0-b167-3f837016650a\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd1a3e7c-5e1b-4fa1-8796-45abfa64e536\",\"w\":9,\"x\":9,\"y\":0},\"panelIndex\":\"fd1a3e7c-5e1b-4fa1-8796-45abfa64e536\",\"panelRefName\":\"panel_fd1a3e7c-5e1b-4fa1-8796-45abfa64e536\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"73433d45-2afb-45aa-b823-e048841115c2\",\"w\":12,\"x\":18,\"y\":0},\"panelIndex\":\"73433d45-2afb-45aa-b823-e048841115c2\",\"panelRefName\":\"panel_73433d45-2afb-45aa-b823-e048841115c2\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a0546004-8d4b-444d-af9d-23a249df93e3\",\"w\":9,\"x\":30,\"y\":0},\"panelIndex\":\"a0546004-8d4b-444d-af9d-23a249df93e3\",\"panelRefName\":\"panel_a0546004-8d4b-444d-af9d-23a249df93e3\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"68f7d41f-43dd-49d6-88ac-afa36a19ebeb\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"68f7d41f-43dd-49d6-88ac-afa36a19ebeb\",\"panelRefName\":\"panel_68f7d41f-43dd-49d6-88ac-afa36a19ebeb\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cc8c06d5-4825-4b25-9d69-e6fec23d07b3\",\"w\":9,\"x\":39,\"y\":0},\"panelIndex\":\"cc8c06d5-4825-4b25-9d69-e6fec23d07b3\",\"panelRefName\":\"panel_cc8c06d5-4825-4b25-9d69-e6fec23d07b3\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"91d1ac3b-5cec-4e60-9179-18aaf7ce6198\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"91d1ac3b-5cec-4e60-9179-18aaf7ce6198\",\"panelRefName\":\"panel_91d1ac3b-5cec-4e60-9179-18aaf7ce6198\",\"type\":\"visualization\",\"version\":\"7.17.2\"}]", + "timeRestore": false, + "title": "[Cisco Duo] Offline Enrollment Logs", + "version": 1 + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4", + "name": "9e1a3121-6df9-41a0-b167-3f837016650a:panel_9e1a3121-6df9-41a0-b167-3f837016650a", + "type": "visualization" + }, + { + "id": "cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4", + "name": "fd1a3e7c-5e1b-4fa1-8796-45abfa64e536:panel_fd1a3e7c-5e1b-4fa1-8796-45abfa64e536", + "type": "visualization" + }, + { + "id": "cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4", + "name": "73433d45-2afb-45aa-b823-e048841115c2:panel_73433d45-2afb-45aa-b823-e048841115c2", + "type": "visualization" + }, + { + "id": "cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4", + "name": "a0546004-8d4b-444d-af9d-23a249df93e3:panel_a0546004-8d4b-444d-af9d-23a249df93e3", + "type": "visualization" + }, + { + "id": "cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4", + "name": "68f7d41f-43dd-49d6-88ac-afa36a19ebeb:panel_68f7d41f-43dd-49d6-88ac-afa36a19ebeb", + "type": "visualization" + }, + { + "id": "cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4", + "name": "cc8c06d5-4825-4b25-9d69-e6fec23d07b3:panel_cc8c06d5-4825-4b25-9d69-e6fec23d07b3", + "type": "visualization" + }, + { + "id": "cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4", + "name": "91d1ac3b-5cec-4e60-9179-18aaf7ce6198:panel_91d1ac3b-5cec-4e60-9179-18aaf7ce6198", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/map/cisco_duo-158c0e80-148c-11ec-9386-31989719f9db.json b/packages/cisco_duo/1.2.2/kibana/map/cisco_duo-158c0e80-148c-11ec-9386-31989719f9db.json new file mode 100755 index 0000000000..94a0d26a3e --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/map/cisco_duo-158c0e80-148c-11ec-9386-31989719f9db.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"ce0cde1e-240f-4a56-bc83-60374450e029\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"4e14ab8b-6ac0-4c0d-92e4-56b7074b28f6\",\"includeInFitToBounds\":true,\"label\":\"Failed login attempts\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"768d716e-4cb1-435c-b301-f26d08954838\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_duo.auth\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":0.99}", + "title": "[Cisco Duo] Failed Login attempts", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-158c0e80-148c-11ec-9386-31989719f9db", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..a9a287430c --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Unique integration count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique integration count\",\"field\":\"cisco_duo.offline_enrollment.object\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique integration count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..9014ebf37b --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Top 10 Offline Enrollment Actions by user", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"cisco_duo.offline_enrollment.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Action\",\"field\":\"cisco_duo.offline_enrollment.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 Offline Enrollment Actions by user\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..5c3a27e86a --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Number of Integration", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Number of Integrations\",\"field\":\"cisco_duo.summary.integration_count\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Number of Integration\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..4931b9348e --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Telephony credits remaining", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Telephony Credits remaining\",\"field\":\"cisco_duo.summary.telephony_credits_remaining\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Telephony credits remaining\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..cd30ba06d2 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}" + }, + "title": "[Cisco Duo] Telephony credits used by telephony type", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cisco_duo.telephony.credits\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.telephony.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Telephony credits used by telephony type\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..59db0e4238 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Factor used for offline enrollment", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Factor\",\"field\":\"cisco_duo.offline_enrollment.description.factor\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Factor used for offline enrollment\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..40b7177218 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Password set in user devices", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.auth.access_device.is_password_set\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Password set in user devices\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..90b0e19ac1 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Admin Count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Number of Admin\",\"field\":\"cisco_duo.summary.admin_count\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Admin Count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..9907b6ab37 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}" + }, + "title": "[Cisco Duo] Telephony credits used by types of telephony event", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cisco_duo.telephony.credits\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.telephony.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Telephony credits used by types of telephony event\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..87d11eeb62 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}" + }, + "title": "[Cisco Duo] Telephony credits used by Users", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Telephony credits used by user\",\"field\":\"cisco_duo.telephony.credits\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.telephony.phone_number\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Telephony credits used by Users\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..20f6c91824 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Authentication Failed login attempts by Source IP", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Number of failed attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":false,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"orderBucketsBySum\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"5\",\"label\":\"Number of failed attempts\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Number of failed attempts\"},\"type\":\"value\"}]},\"title\":\"[Cisco Duo] Authentication Failed login attempts by Source IP\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..078da4c7c6 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Unique user count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique user count\",\"field\":\"cisco_duo.offline_enrollment.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique user count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..da2378ca4d --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Encryption enabled in user devices", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.auth.access_device.is_encryption_enabled\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Encryption enabled in user devices\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..d92b2f3dd3 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Login Attempts by OS", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Login Attempts by OS\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..fab286e90d --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"success\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Top 10 successful login attempts by Application name", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Successful Login attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Application Name\",\"field\":\"cisco_duo.auth.application.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 successful login attempts by Application name\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..d58a1fb237 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] User Count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Number of Users\",\"field\":\"cisco_duo.summary.user_count\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] User Count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..6e47523657 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Login attempts by authentication factor", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Factor of authentication\",\"field\":\"cisco_duo.auth.factor\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Others\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Login attempts by authentication factor\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..1a376593c1 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.summary\\\"\"}}" + }, + "title": "[Cisco Duo] Remaining telephony credits over time", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"f05fb810-0fa8-11ec-8382-e117c2442b42\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4a31a4d0-81c1-4705-879d-f5d196dacbd2\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":30,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"94a8c66d-6999-46aa-a647-20789ed9bdc1\",\"label\":\"Remaining telephony credits\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"cisco_duo.summary.telephony_credits_remaining\",\"id\":\"ef27c46b-0bb7-44cc-b819-331c4abb7798\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"[Cisco Duo] Remaining telephony credits over time\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..40264dcc13 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Unique hostname count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique hostname count\",\"field\":\"cisco_duo.offline_enrollment.description.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique hostname count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..2e2a815f69 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Unique action count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique action count\",\"field\":\"cisco_duo.offline_enrollment.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique action count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..e7acd2b977 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Firewall enabled in user devices", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"cisco_duo.auth.access_device.is_firewall_enabled\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Firewall enabled in user devices\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..79ff8e5399 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Failed login attempts by reason over time", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"d8f092a5-ae66-4065-b008-32c860c6981a\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.auth\\\" and event.outcome : \\\"failure\\\"\"},\"formatter\":\"number\",\"id\":\"28cb790c-2e1a-4805-84aa-1ed88babbed1\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"14432c40-0fd5-11ec-921c-81166521206e\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.auth\\\"\"},\"id\":\"f284b6f0-0fd4-11ec-921c-81166521206e\",\"label\":\"\"}],\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"event.reason\",\"terms_size\":\"100\",\"time_range_mode\":\"entire_time_range\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"[Cisco Duo] Failed login attempts by reason over time\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..640464c274 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Top 10 Failed login attempts by username", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of failed attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 Failed login attempts by username\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4.json new file mode 100755 index 0000000000..2786cb3f53 --- /dev/null +++ b/packages/cisco_duo/1.2.2/kibana/visualization/cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Cisco Duo] Top 10 Offline Enrollment actions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"cisco_duo.offline_enrollment.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Number of unique hosts\",\"field\":\"cisco_duo.offline_enrollment.description.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Number of unique integrations\",\"field\":\"cisco_duo.offline_enrollment.object\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total count of action execution\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 Offline Enrollment actions\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.2", + "id": "cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_duo/1.2.2/manifest.yml b/packages/cisco_duo/1.2.2/manifest.yml new file mode 100755 index 0000000000..5463cdb36e --- /dev/null +++ b/packages/cisco_duo/1.2.2/manifest.yml @@ -0,0 +1,56 @@ +format_version: 1.0.0 +name: cisco_duo +title: Cisco Duo +version: 1.2.2 +license: basic +description: Collect logs from Cisco Duo with Elastic Agent. +type: integration +categories: + - security +release: ga +conditions: + kibana.version: ^7.17.2 || ^8.0.0 +screenshots: + - src: /img/cisco_duo-screenshot.png + title: Cisco Duo authentication log dashboard + size: 600x600 + type: image/png +icons: + - src: /img/cisco_duo-logo.svg + title: Cisco Duo logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: cisco_duo + title: Cisco Duo logs + description: Collect Cisco Duo logs + inputs: + - type: httpjson + vars: + - name: hostname + type: text + title: Hostname + description: Hostname for the Cisco Duo Admin API (Add https:// before the hostname). + required: true + - name: integration_key + type: text + title: Integration Key + description: Integration key for the Cisco Duo Admin API. + required: true + - name: secret_key + type: password + title: Secret Key + description: Secret key for the Cisco Duo Admin API. + required: true + - name: interval + type: text + title: Interval + description: Interval to query Cisco Duo Admin API. + multi: false + required: true + show_user: true + default: 1m + title: Collect Cisco Duo logs via API + description: Collect Cisco Duo Administrator, Authentication, Offline Enrollment, Summary, and Telephony logs +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_ftd/2.2.1/changelog.yml b/packages/cisco_ftd/2.2.1/changelog.yml new file mode 100755 index 0000000000..25bb324a63 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/changelog.yml @@ -0,0 +1,89 @@ +# newer versions go on top +- version: "2.2.1" + changes: + - description: Remove invalid values from ECS fields + type: bugfix + link: https://github.com/elastic/integrations/pull/3344 +- version: "2.2.0" + changes: + - description: Add TLS system test + type: enhancement + link: https://github.com/elastic/integrations/pull/3339 + - description: Add TCP input with TLS support + type: enhancement + link: https://github.com/elastic/integrations/pull/3313 +- version: "2.1.1" + changes: + - description: Added link to Cisco's FTD documentation in readme + type: enhancement + link: https://github.com/elastic/integrations/pull/2931 +- version: "2.1.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "2.0.4" + changes: + - description: Set event.kind to alert only when sha_disposition is malware or custom + type: bugfix + link: https://github.com/elastic/integrations/pull/3041 +- version: "2.0.3" + changes: + - description: Make fields agree with ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3018 +- version: "2.0.2" + changes: + - description: Update observer to ftd and idps to better match this integration. + type: bugfix + link: https://github.com/elastic/integrations/pull/2551 +- version: "2.0.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2391 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2258 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1954 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1806 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1783 +- version: "1.0.1" + changes: + - description: Adding missing ECS fields + type: bugfix + link: https://github.com/elastic/integrations/pull/1731 +- version: "1.0.0" + changes: + - description: Initial version to split Cisco FTD out from the general Cisco package + type: enhancement + link: https://github.com/elastic/integrations/pull/1586 diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..28ea4aaa98 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..8f3ae72293 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,22 @@ +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..e129442a23 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/2.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..51dd1fc502 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1977 @@ +--- +description: "Pipeline for Cisco FTD logs" +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: ecs.version + value: "8.2.0" + # + # Parse the syslog header + # + # This populates the host.hostname, process.name, timestamp and other fields + # from the header and stores the message contents in _temp_.full_message. + - grok: + field: event.original + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^%\\s:\\[]+)" + SYSLOG_END: "(?:(:|\\s)\\s+)" + # exactly match the syntax for firepower management logs + PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" + HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + + # + # Parse FTD/ASA style message + # + # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: _temp_.full_message + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" + + # + # Create missing fields when no %FTD label is present + # + # message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: "" + if: "ctx?._temp_?.cisco?.message_id == null" + + # + # set default event.severity to 7 (debug): + # + # This value is read from the EMBLEM header and won't be present if this is not + # an emblem message (firewalls can be configured to report other kinds of events) + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + + # + # Parse the date included in FTD logs + # + - date: + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + - date: + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" + timezone: "{{ event.timezone }}" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + + # + # Set log.level + # + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # + # Firewall messages + # + # This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + description: "106001" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + description: "106002" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + description: "106006" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + description: "106007" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + description: "106010" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + description: "106013" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + description: "106013" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + description: "106013" + value: inbound + - grok: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + description: "106014" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" + - grok: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + description: "106015" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" + - grok: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + description: "106023" + patterns: + - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + description: "106027" + pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + description: "106100" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + description: "106103" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + description: "111004" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + description: "111004" + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + description: "111004" + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + description: "111004" + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + description: "111010" + patterns: + - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + description: "113019" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" + - grok: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "302013, 302015" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + description: "303002" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + description: "302012" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + description: "302020" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" + - grok: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + description: "304001" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + description: "304001" + value: success + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + description: "304002" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - grok: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + description: "313001" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + description: "313004" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + description: "313005" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + description: "313008" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + description: "313009" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + description: "322001" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + description: "338001" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + description: "338001" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + description: "338002" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + description: "338002" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + description: "338003" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + description: "338004" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + description: "338005" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + description: "338005" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + description: "338006" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + description: "338006" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + description: "338007" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + description: "338008" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + description: "338101" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + description: "338101" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + description: "338102" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + description: "338102" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + description: "338103" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + description: "338104" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + description: "338201" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + description: "338201" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + description: "338202" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + description: "338202" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + description: "338203" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + description: "338203" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + description: "338204" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + description: "338204" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + description: "338301" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.address" + description: "338301" + value: "{{destination.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + description: "338301" + value: "{{destination.port}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.address" + description: "338301" + value: "{{source.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + description: "338301" + value: "{{source.port}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + description: "502103" + pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + description: "502103" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + description: "502103" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + description: "507003" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "605004, 605005" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + description: "609001" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + description: "609002" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "611102, 611101" + pattern: "User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + description: "733100" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + description: "734001" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + description: "805001" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + description: "805002" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - split: + field: "_temp_.cisco.dap_records" + separator: ",\\s+" + ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # + # Handle 302xxx messages (Flow expiration a.k.a "Teardown") + # + - set: + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-expiration" + description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + - grok: + field: "message" + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" + patterns: + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + + # + # Decode FTD's Security Event Syslog Messages + # + # 43000x messages are security event syslog messages specific to FTD. + # Format is a comma-separated sequence of key: value pairs. + # + # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "430001, 430002, 430003, 430004, 430005" + field_split: ",(?=[A-za-z1-9\\s]+:)" + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true + + # + # Remove _temp_.full_message. + # + # The field has been used as temporary buffer while decoding. The full message + # is kept under event.original. Processors below can still add a message field, as some + # security events contain an explanatory Message field. + - remove: + field: + - message + - _temp_.full_message + ignore_missing: true + + # + # Populate ECS fields from Security Events + # + # This script uses the key-value pairs from Security Events to populate + # the appropriate ECS fields. + # + # A single key can be mapped to multiple ECS fields, and more than one key can + # map to the same ECS field, which results in an array being created. + # + # This script performs an additional job: + # + # Before FTD version 6.3, the message_id was not included in Security Events. + # As this field encodes the kind of event (intrusion, connection, malware...) + # the script below will guess the right message_id from the keys present in + # the event. + # + # The reason for overloading this script with different behaviors is + # that this pipeline is already reaching the limit on script compilations. + # + #******************************************************************************* + # Code generated by go generate. DO NOT EDIT. + #******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.address] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.address] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.address] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } + } + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); + #******************************************************************************* + # End of generated code. + #******************************************************************************* + + # + # Normalize ECS field values + # + - script: + lang: painless + params: + "ctx._temp_.cisco.message_id": + target: event.action + map: + "430001": intrusion-detected + "430002": connection-started + "430003": connection-finished + "430004": file-detected + "430005": malware-detected + "dns.question.type": + map: + "a host address": A + "ip6 address": AAAA + "text strings": TXT + "a domain name pointer": PTR + "an authoritative name server": NS + "the canonical name for an alias": CNAME + "marks the start of a zone of authority": SOA + "mail exchange": MX + "server selection": SRV + "dns.response_code": + map: + "non-existent domain": NXDOMAIN + "server failure": SERVFAIL + "query refused": REFUSED + "no error": NOERROR + source: | + def getField(Map src, String[] path) { + for (int i=0; i new HashMap()); + } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } + - set: + if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" + field: dns.response_code + value: NOERROR + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + + # + # Handle event.duration + # + # It can be set from ConnectionDuration FTD field above. This field holds + # seconds as a string. Copy it to _temp_.duration_hms so that the following + # processor converts it to the right value and populates start and end. + - set: + field: "_temp_.duration_hms" + value: "{{event.duration}}" + ignore_empty_value: true + + # + # Process the flow duration "hh:mm:ss" present in some messages + # This will fill event.start, event.end and event.duration + # + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + - lowercase: + field: "network.direction" + ignore_failure: true + - lowercase: + field: "network.type" + ignore_failure: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + # + # Normalize event.outcome + # + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "est-allowed"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "permitted"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "allow"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "denied"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "deny"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "dropped"' + value: failure + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" + # + # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string + # + - convert: + field: source.port + type: integer + ignore_failure: true + - convert: + field: destination.port + type: integer + ignore_failure: true + - convert: + field: source.bytes + type: long + ignore_failure: true + - convert: + field: destination.bytes + type: long + ignore_failure: true + - convert: + field: network.bytes + type: long + ignore_failure: true + - convert: + field: source.packets + type: integer + ignore_failure: true + - convert: + field: destination.packets + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.mapped_source_port + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.mapped_destination_port + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.icmp_code + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.icmp_type + type: integer + ignore_failure: true + - convert: + field: http.response.status_code + type: integer + ignore_failure: true + - convert: + field: file.size + type: integer + ignore_failure: true + - convert: + field: network.iana_number + type: string + ignore_failure: true + # + # Assign ECS .ip fields from .address is a valid IP address is found, + # otherwise set .domain field. + # + - grok: + field: source.address + patterns: + - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" + ignore_failure: true + - grok: + field: client.address + patterns: + - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" + ignore_failure: true + - grok: + field: server.address + patterns: + - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" + ignore_failure: true + # + # Geolocation for source and destination addresses + # + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + # + # IP Autonomous System (AS) Lookup + # + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # + # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. + # + - grok: + field: _temp_.natsrcip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" + ignore_failure: true + - grok: + field: _temp_.natdstip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" + ignore_failure: true + # + # NAT fields + # + # The firewall always populates mapped ip and port even if there was no NAT. + # This populates both nat.ip and nat.port only when some translation is done. + # Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{_temp_.cisco.mapped_source_ip}}" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + ignore_empty_value: true + - convert: + field: source.nat.ip + type: ip + ignore_missing: true + - set: + field: source.nat.port + value: "{{_temp_.cisco.mapped_source_port}}" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + ignore_empty_value: true + - convert: + field: source.nat.port + type: long + ignore_missing: true + - set: + field: destination.nat.ip + value: "{{_temp_.cisco.mapped_destination_ip}}" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + ignore_empty_value: true + - convert: + field: destination.nat.ip + type: ip + ignore_missing: true + - set: + field: destination.nat.port + value: "{{_temp_.cisco.mapped_destination_port}}" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + ignore_empty_value: true + - convert: + field: destination.nat.port + type: long + ignore_missing: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{url.domain}}" + ignore_failure: true + if: ctx?.url?.domain != null + + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{_temp_.url_domain}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null + + # + # Populate ECS event.code + # + - rename: + field: _temp_.cisco.message_id + target_field: event.code + ignore_failure: true + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true + # + # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. + # + - rename: + field: _temp_.cisco + target_field: "cisco.ftd" + ignore_failure: true + # + # Remove temporary fields + # + - remove: + field: _temp_ + ignore_missing: true + # + # Rename some 7.x fields + # + - rename: + field: cisco.ftd.list_id + target_field: cisco.ftd.rule_name + ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - connection + - end + connection-started: + kind: event + category: + - network + type: + - connection + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: + - info + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + malware-detected: + kind: event + category: + - malware + type: + - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + if (ctx?.event?.outcome == null) { + return; + } + if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { + if (ctx.event.outcome == 'success') { + ctx.event.type.add('allowed'); + } + if (ctx.event.outcome == 'failure') { + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'block') { + ctx.event.outcome = 'success'; + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'monitored') { + ctx.event.category.add('intrusion_detection'); + ctx.event.outcome = 'success'; + } + } + + # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. + - set: + if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + field: event.kind + value: alert + - append: + if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + field: event.category + value: file + + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "idps" + ignore_empty_value: true + - set: + field: observer.product + value: "ftd" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.ftd.destination_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.ftd.source_interface }}" + ignore_empty_value: true + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{user.name}}" + if: ctx?.user?.name != null && ctx?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{server.user.name}}" + if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{destination.user.name}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false + - append: + field: related.hash + value: "{{file.hash.sha256}}" + if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + # Copy any fields under _temp_.cisco to its final destination. Those can help + # with diagnosing the failure. + - rename: + field: _temp_.cisco + target_field: "cisco.ftd" + ignore_failure: true + # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. + - remove: + field: _temp_ + ignore_missing: true + - append: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/fields/agent.yml b/packages/cisco_ftd/2.2.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..d38a70bd6b --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/2.2.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..e02b7e2a25 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_ftd +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_ftd.log +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/2.2.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..e981c336d5 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,567 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + name: service.id + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Port of the server. + name: server.port + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/fields/fields.yml b/packages/cisco_ftd/2.2.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..cd3a6b2e3a --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/fields/fields.yml @@ -0,0 +1,155 @@ +- name: cisco.ftd + type: group + fields: + - name: message_id + type: keyword + description: | + The Cisco FTD message identifier. + - name: suffix + type: keyword + description: | + Optional suffix after %FTD identifier. + - name: source_interface + type: keyword + description: | + Source interface for the flow or event. + - name: destination_interface + type: keyword + description: | + Destination interface for the flow or event. + - name: rule_name + type: keyword + description: | + Name of the Access Control List rule that matched this event. + - name: source_username + type: keyword + description: | + Name of the user that is the source for this event. + - name: destination_username + type: keyword + description: | + Name of the user that is the destination for this event. + - name: mapped_source_ip + type: ip + description: | + The translated source IP address. + - name: mapped_source_port + type: long + description: | + The translated source port. + - name: mapped_destination_ip + type: ip + description: | + The translated destination IP address. + - name: mapped_destination_port + type: long + description: | + The translated destination port. + - name: threat_level + type: keyword + description: | + Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + - name: threat_category + type: keyword + description: | + Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + - name: connection_id + type: keyword + description: | + Unique identifier for a flow. + - name: icmp_type + type: short + description: | + ICMP type. + - name: icmp_code + type: short + description: | + ICMP code. + - name: connection_type + type: keyword + description: | + The VPN connection type + - name: dap_records + type: keyword + description: | + The assigned DAP records + - name: mapped_destination_host + type: keyword + - name: username + type: keyword + - name: mapped_source_host + type: keyword + - name: command_line_arguments + default_field: false + type: keyword + description: | + The command line arguments logged by the local audit log + - name: assigned_ip + default_field: false + type: ip + description: | + The IP address assigned to a VPN client successfully connecting + - name: privilege.old + default_field: false + type: keyword + description: | + When a users privilege is changed this is the old value + - name: privilege.new + default_field: false + type: keyword + description: | + When a users privilege is changed this is the new value + - name: burst.object + default_field: false + type: keyword + description: | + The related object for burst warnings + - name: burst.id + default_field: false + type: keyword + description: | + The related rate ID for burst warnings + - name: burst.current_rate + default_field: false + type: keyword + description: | + The current burst rate seen + - name: burst.configured_rate + default_field: false + type: keyword + description: | + The current configured burst rate + - name: burst.avg_rate + default_field: false + type: keyword + description: | + The current average burst rate seen + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: | + The current configured average burst rate allowed + - name: burst.cumulative_count + default_field: false + type: keyword + description: | + The total count of burst rate hits since the object was created or cleared + - name: security + type: flattened + description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: | + The WebVPN group name the user belongs to + - name: termination_user + default_field: false + type: keyword + description: |- + AAA name of user requesting termination +- name: syslog.facility.code + type: long + description: Syslog numeric facility of the event. +- name: syslog.priority + type: long + description: Syslog priority of the event. diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/manifest.yml b/packages/cisco_ftd/2.2.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..4491bc8ae3 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/manifest.yml @@ -0,0 +1,172 @@ +title: Cisco FTD logs +type: logs +streams: + - input: udp + title: Cisco FTD logs + description: Collect Cisco FTD logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP Port to listen on + multi: false + required: true + show_user: true + default: 9003 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco FTD logs + description: Collect Cisco FTD logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP Port to listen on + multi: false + required: true + show_user: true + default: 9003 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - input: logfile + enabled: false + title: Cisco FTD logs + description: Collect Cisco FTD logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-ftd.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco_ftd/2.2.1/data_stream/log/sample_event.json b/packages/cisco_ftd/2.2.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..f4b4c4b065 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/data_stream/log/sample_event.json @@ -0,0 +1,157 @@ +{ + "@timestamp": "2019-08-16T09:39:03.000Z", + "agent": { + "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102", + "hostname": "docker-fleet-agent", + "id": "43265318-62cb-431d-b8c2-c36438978d88", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cisco": { + "ftd": { + "rule_name": "malware-and-file-policy", + "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "81.2.69.144", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", + "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file_size": "184", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "ZIP", + "first_packet_second": "2019-08-16T09:39:02Z", + "protocol": "tcp", + "sha_disposition": "Unavailable", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "46004", + "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "uri": "http://www.eicar.org/download/eicar_com.zip", + "user": "No Authentication Required" + }, + "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" + } + }, + "data_stream": { + "dataset": "cisco_ftd.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "43265318-62cb-431d-b8c2-c36438978d88", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "malware-detected", + "agent_id_status": "verified", + "category": [ + "malware", + "file" + ], + "code": "430005", + "dataset": "cisco_ftd.log", + "ingested": "2022-04-11T08:03:35Z", + "kind": "event", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", + "severity": 1, + "start": "2019-08-16T09:39:02Z", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "firepower" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "alert", + "source": { + "address": "172.21.0.4:50821" + } + }, + "network": { + "application": "curl", + "iana_number": "6", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "firepower", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.1.20", + "81.2.69.144" + ], + "user": [ + "No Authentication Required" + ] + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 46004 + }, + "tags": [ + "preserve_original_event", + "cisco-ftd", + "forwarded" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" + }, + "user": { + "id": "No Authentication Required", + "name": "No Authentication Required" + } +} \ No newline at end of file diff --git a/packages/cisco_ftd/2.2.1/docs/README.md b/packages/cisco_ftd/2.2.1/docs/README.md new file mode 100755 index 0000000000..acde41953a --- /dev/null +++ b/packages/cisco_ftd/2.2.1/docs/README.md @@ -0,0 +1,397 @@ +# Cisco FTD Integration + +This integration is for [Cisco](https://www.cisco.com/c/en/us/support/security/index.html) Firepower Threat Defence (FTD) device's logs. The package processes syslog messages from Cisco Firepower devices + +It includes the following datasets for receiving logs over syslog or read from a file: + +- `log` dataset: supports Cisco Firepower Threat Defense (FTD) logs. + +## Configuration + +Cisco provides a range of Firepower devices, which may have different configuration steps. We recommend users navigate to the device specific configuration page, and search for/go to the "FTD Logging" or "Configure Logging on FTD" page for the specific device. + +## Logs + +### FTD + +The `log` dataset collects the Cisco Firepower Threat Defense (FTD) logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2019-08-16T09:39:03.000Z", + "agent": { + "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102", + "hostname": "docker-fleet-agent", + "id": "43265318-62cb-431d-b8c2-c36438978d88", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cisco": { + "ftd": { + "rule_name": "malware-and-file-policy", + "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "81.2.69.144", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", + "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file_size": "184", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "ZIP", + "first_packet_second": "2019-08-16T09:39:02Z", + "protocol": "tcp", + "sha_disposition": "Unavailable", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "46004", + "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "uri": "http://www.eicar.org/download/eicar_com.zip", + "user": "No Authentication Required" + }, + "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" + } + }, + "data_stream": { + "dataset": "cisco_ftd.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "43265318-62cb-431d-b8c2-c36438978d88", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "malware-detected", + "agent_id_status": "verified", + "category": [ + "malware", + "file" + ], + "code": "430005", + "dataset": "cisco_ftd.log", + "ingested": "2022-04-11T08:03:35Z", + "kind": "event", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", + "severity": 1, + "start": "2019-08-16T09:39:02Z", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "firepower" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "alert", + "source": { + "address": "172.21.0.4:50821" + } + }, + "network": { + "application": "curl", + "iana_number": "6", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "firepower", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.1.20", + "81.2.69.144" + ], + "user": [ + "No Authentication Required" + ] + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 46004 + }, + "tags": [ + "preserve_original_event", + "cisco-ftd", + "forwarded" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" + }, + "user": { + "id": "No Authentication Required", + "name": "No Authentication Required" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | +| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | +| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | +| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword | +| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | +| cisco.ftd.burst.current_rate | The current burst rate seen | keyword | +| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword | +| cisco.ftd.burst.object | The related object for burst warnings | keyword | +| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword | +| cisco.ftd.connection_id | Unique identifier for a flow. | keyword | +| cisco.ftd.connection_type | The VPN connection type | keyword | +| cisco.ftd.dap_records | The assigned DAP records | keyword | +| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword | +| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword | +| cisco.ftd.icmp_code | ICMP code. | short | +| cisco.ftd.icmp_type | ICMP type. | short | +| cisco.ftd.mapped_destination_host | | keyword | +| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip | +| cisco.ftd.mapped_destination_port | The translated destination port. | long | +| cisco.ftd.mapped_source_host | | keyword | +| cisco.ftd.mapped_source_ip | The translated source IP address. | ip | +| cisco.ftd.mapped_source_port | The translated source port. | long | +| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword | +| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword | +| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword | +| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword | +| cisco.ftd.security | Cisco FTD security event fields. | flattened | +| cisco.ftd.source_interface | Source interface for the flow or event. | keyword | +| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword | +| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword | +| cisco.ftd.termination_user | AAA name of user requesting termination | keyword | +| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | +| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.ftd.username | | keyword | +| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.status_code | HTTP response status code. | long | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| syslog.facility.code | Syslog numeric facility of the event. | long | +| syslog.priority | Syslog priority of the event. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/cisco_ftd/2.2.1/img/cisco.svg b/packages/cisco_ftd/2.2.1/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_ftd/2.2.1/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_ftd/2.2.1/manifest.yml b/packages/cisco_ftd/2.2.1/manifest.yml new file mode 100755 index 0000000000..271de485ed --- /dev/null +++ b/packages/cisco_ftd/2.2.1/manifest.yml @@ -0,0 +1,34 @@ +format_version: 1.0.0 +name: cisco_ftd +title: Cisco FTD +version: 2.2.1 +license: basic +description: Collect logs from Cisco FTD with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_ftd + title: Cisco FTD logs + description: Collect logs from Cisco FTD instances + inputs: + - type: tcp + title: Collect logs from Cisco FTD via TCP + description: Collecting logs from Cisco FTD via TCP + - type: udp + title: Collect logs from Cisco FTD via UDP + description: Collecting logs from Cisco FTD via UDP + - type: logfile + title: Collect logs from Cisco FTD via file + description: Collecting logs from Cisco FTD via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_ios/1.6.0/changelog.yml b/packages/cisco_ios/1.6.0/changelog.yml new file mode 100755 index 0000000000..dbf9326aa2 --- /dev/null +++ b/packages/cisco_ios/1.6.0/changelog.yml @@ -0,0 +1,66 @@ +# newer versions go on top +- version: "1.6.0" + changes: + - description: Add TCP input with TLS support + type: enhancement + link: https://github.com/elastic/integrations/pull/3314 +- version: "1.5.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "1.4.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.4.1" + changes: + - description: Add missing event.original mapping + type: bugfix + link: https://github.com/elastic/integrations/pull/2636 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2392 +- version: "1.3.0" + changes: + - description: Add syslog header and timestamp parsing. + type: enhancement + link: https://github.com/elastic/integrations/pull/2475 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2279 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1955 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1807 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1784 +- version: "1.0.0" + changes: + - description: Initial version of Cisco IOS as separate package + type: enhancement + link: https://github.com/elastic/integrations/pull/1582 diff --git a/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..eac70741c1 --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,26 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..4a401c1add --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,27 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..f0f20354c1 --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,22 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.6.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/1.6.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..f22c5037ac --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,288 @@ +--- +description: Pipeline for Cisco IOS logs. + +processors: + - set: + field: ecs.version + value: '8.2.0' + - set: + field: event.category + value: network + - set: + field: event.provider + value: firewall + - set: + field: event.type + value: info + + - set: + field: event.original + copy_from: message + override: false + - remove: + field: message + ignore_missing: true + - dissect: + field: event.original + pattern: '%{_temp_.header} %%{message}' + - grok: + field: _temp_.header + patterns: + - '^<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER:event.sequence}?: (?:%{SYSLOGHOST:log.syslog.hostname}: )?%{CISCO_TIMESTAMP:_temp_.cisco_timestamp}' + - '%{SYSLOGHOST:log.syslog.hostname} %{NUMBER:event.sequence}: %{CISCO_TIMESTAMP:_temp_.cisco_timestamp}' + pattern_definitions: + CISCO_TIMESTAMP: '%{CISCOTIMESTAMP}(?: %{TZ})?' + ignore_failure: true + - gsub: + description: Remove double spacing from the date. + field: _temp_.cisco_timestamp + ignore_missing: true + pattern: ' {2,}' + replacement: ' ' + - set: + field: _conf.tz_offset + value: UTC + override: false + - date: + if: ctx?._temp_.cisco_timestamp != null + field: _temp_.cisco_timestamp + formats: + - "MMM d yyyy HH:mm:ss.SSS z" + - "MMM d yyyy HH:mm:ss.SSS" + - "MMM d yyyy HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + + # Repeat without year. + - "MMM d HH:mm:ss.SSS z" + - "MMM d HH:mm:ss.SSS" + - "MMM d HH:mm:ss z" + - "MMM d HH:mm:ss" + timezone: '{{{_conf.tz_offset}}}' + - grok: + field: message + patterns: + - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:message}" + - convert: + field: event.severity + type: long + ignore_missing: true + - convert: + field: event.sequence + type: long + ignore_missing: true + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet" + if: "['IPACCESSLOGP', 'ACCESSLOGP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{icmp.type}/%{icmp.code}), %{source.packets} packet" + if: "['IPACCESSLOGDP', 'ACCESSLOGDP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address}, %{source.packets} packet" + if: "ctx.event?.code == 'IPACCESSLOGRP'" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{igmp.type}), %{source.packets} packet" + if: "['IPACCESSLOGSP', 'ACCESSLOGSP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet" + if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] at %{}" + if: "ctx.event?.code == 'LOGIN_SUCCESS'" + - dissect: + field: message + pattern: "User %{source.user.name} has %{cisco.ios.action} %{cisco.ios.session.type} session %{cisco.ios.session.number}(%{source.address})" + if: "ctx.event?.code == 'LOGOUT'" + - grok: + field: message + patterns: + - 'Received \(%{PIM_SOURCE}, %{DATA:cisco.ios.pim.group.ip}\) %{WORD:cisco.ios.action} from %{IP:source.address} for %{DATA:cisco.ios.outcome} %{IP:destination.address}' + pattern_definitions: + PIM_SOURCE: (%{IP:cisco.ios.pim.source.ip}|%{DATA}) + if: "ctx.event?.code == 'INVALID_RP_JOIN'" + - set: + field: event.action + value: "multicast-join" + if: ctx.event?.code == "INVALID_RP_JOIN" + - set: + field: event.outcome + value: "failure" + if: ctx.event?.code == "INVALID_RP_JOIN" + - set: + field: event.reason + value: "Invalid RP" + if: ctx.event?.code == "INVALID_RP_JOIN" + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_failure: true + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_failure: true + - convert: + field: cisco.ios.pim.source.ip + type: ip + ignore_missing: true + - convert: + field: source.port + type: long + ignore_missing: true + - convert: + field: source.packets + type: long + ignore_missing: true + - convert: + field: destination.port + type: long + ignore_missing: true + - set: + field: network.packets + copy_from: source.packets + if: ctx.source?.packets != null + - set: + field: network.type + value: ipv4 + if: "ctx.source?.ip != null && ctx.source?.ip.contains('.')" + - set: + field: network.type + value: ipv6 + if: "ctx.source?.ip != null && ctx.network?.type == null" + - set: + field: event.action + value: deny + if: "ctx._temp_?.event?.action == 'denied'" + - set: + field: event.type + value: denied + if: "ctx.event?.action == 'deny'" + - set: + field: event.action + value: allow + if: "ctx._temp_?.event?.action == 'permitted'" + - set: + field: event.type + value: allowed + if: "ctx.event?.action == 'allow'" + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: emergencies + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + - append: + field: related.ip + value: "{{{source.ip}}}" + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{{destination.ip}}}" + allow_duplicates: false + if: ctx.destination?.ip != null + - append: + field: related.user + value: "{{{source.user.name}}}" + allow_duplicates: false + if: ctx.source?.user?.name != null + - community_id: + ignore_missing: true + ignore_failure: true + - remove: + field: + - _temp_ + - _conf + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + +on_failure: + - remove: + field: + - _temp_ + - _conf + ignore_missing: true + - set: + field: error.message + value: "processor {{{ _ingest.on_failure_processor_type}}}: {{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_ios/1.6.0/data_stream/log/fields/agent.yml b/packages/cisco_ios/1.6.0/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..32d10234f9 --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/fields/agent.yml @@ -0,0 +1,216 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: elastic.agent.id + type: keyword +- name: elastic.agent.snapshot + type: boolean +- name: elastic.agent.version + type: keyword +- name: input.type + type: keyword +- name: log.offset + type: long +- name: log.source.address + type: keyword +- name: hostname + type: keyword + description: Hostname from syslog header. +- name: process.program + type: keyword + description: Process from syslog header. diff --git a/packages/cisco_ios/1.6.0/data_stream/log/fields/base-fields.yml b/packages/cisco_ios/1.6.0/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..30f3b7cd06 --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_ios +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_ios.log +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_ios/1.6.0/data_stream/log/fields/ecs.yml b/packages/cisco_ios/1.6.0/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..f7dcd2bfd5 --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/fields/ecs.yml @@ -0,0 +1,245 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long diff --git a/packages/cisco_ios/1.6.0/data_stream/log/fields/fields.yml b/packages/cisco_ios/1.6.0/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..5342402f70 --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/fields/fields.yml @@ -0,0 +1,56 @@ +- name: cisco.ios + type: group + fields: + - name: access_list + type: keyword + description: | + Name of the IP access list. + - name: action + type: keyword + description: | + Action taken by the device + - name: facility + type: keyword + description: | + The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. + - name: pim + type: group + fields: + - name: group + type: group + fields: + - name: ip + type: ip + description: Multicast group IP + - name: source + type: group + fields: + - name: ip + type: ip + description: Multicast source IP + - name: outcome + type: keyword + description: The result of the event + - name: session + type: group + description: Fields for Session information + fields: + - name: number + type: integer + description: Session ID + - name: type + type: keyword + example: tty + description: Session type +- name: icmp.code + type: keyword + description: ICMP code. +- name: icmp.type + type: keyword + description: ICMP type. +- name: igmp.type + type: keyword + description: IGMP type. +- name: log.syslog.hostname + type: keyword + description: Hostname parsed from syslog header. diff --git a/packages/cisco_ios/1.6.0/data_stream/log/manifest.yml b/packages/cisco_ios/1.6.0/data_stream/log/manifest.yml new file mode 100755 index 0000000000..161d335aa7 --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/manifest.yml @@ -0,0 +1,195 @@ +title: Cisco IOS logs +type: logs +streams: + - input: udp + title: Cisco IOS logs + description: Collect Cisco IOS logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: syslog_host + type: text + title: Host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9002 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone + multi: false + required: true + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco IOS logs + description: Collect Cisco IOS logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: syslog_host + type: text + title: Host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9002 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone + multi: false + required: true + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - input: logfile + enabled: false + title: Cisco IOS logs + description: Collect Cisco IOS logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-ios.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone + multi: false + required: true + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_ios/1.6.0/data_stream/log/sample_event.json b/packages/cisco_ios/1.6.0/data_stream/log/sample_event.json new file mode 100755 index 0000000000..4278f6958d --- /dev/null +++ b/packages/cisco_ios/1.6.0/data_stream/log/sample_event.json @@ -0,0 +1,79 @@ +{ + "@timestamp": "2021-12-29T23:28:57.662Z", + "agent": { + "ephemeral_id": "74768486-101e-44bc-8eca-3f379325c2b6", + "id": "18c952cc-80e4-43a5-afa9-79993d53ebf6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco": { + "ios": { + "access_list": "177", + "facility": "SEC" + } + }, + "data_stream": { + "dataset": "cisco_ios.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "224.0.0.22", + "ip": "224.0.0.22" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "18c952cc-80e4-43a5-afa9-79993d53ebf6", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "category": "network", + "code": "IPACCESSLOGRP", + "dataset": "cisco_ios.log", + "ingested": "2021-12-29T23:28:58Z", + "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet\n", + "provider": "firewall", + "sequence": 585917, + "severity": 6, + "timezone": "+00:00", + "type": "denied" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" + } + }, + "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", + "network": { + "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", + "packets": 1, + "transport": "igmp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.100.197", + "224.0.0.22" + ] + }, + "source": { + "address": "192.168.100.197", + "ip": "192.168.100.197", + "packets": 1 + }, + "tags": [ + "preserve_original_event", + "cisco-ios", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco_ios/1.6.0/docs/README.md b/packages/cisco_ios/1.6.0/docs/README.md new file mode 100755 index 0000000000..865021f375 --- /dev/null +++ b/packages/cisco_ios/1.6.0/docs/README.md @@ -0,0 +1,210 @@ +# Cisco IOS Integration + +This integration is for Cisco IOS network device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: + +### IOS + +The `log` dataset collects the Cisco IOS router and switch logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2021-12-29T23:28:57.662Z", + "agent": { + "ephemeral_id": "74768486-101e-44bc-8eca-3f379325c2b6", + "id": "18c952cc-80e4-43a5-afa9-79993d53ebf6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cisco": { + "ios": { + "access_list": "177", + "facility": "SEC" + } + }, + "data_stream": { + "dataset": "cisco_ios.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "224.0.0.22", + "ip": "224.0.0.22" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "18c952cc-80e4-43a5-afa9-79993d53ebf6", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "category": "network", + "code": "IPACCESSLOGRP", + "dataset": "cisco_ios.log", + "ingested": "2021-12-29T23:28:58Z", + "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet\n", + "provider": "firewall", + "sequence": 585917, + "severity": 6, + "timezone": "+00:00", + "type": "denied" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "informational", + "source": { + "address": "192.168.100.2" + } + }, + "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", + "network": { + "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", + "packets": 1, + "transport": "igmp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.100.197", + "224.0.0.22" + ] + }, + "source": { + "address": "192.168.100.197", + "ip": "192.168.100.197", + "packets": 1 + }, + "tags": [ + "preserve_original_event", + "cisco-ios", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco.ios.access_list | Name of the IP access list. | keyword | +| cisco.ios.action | Action taken by the device | keyword | +| cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | +| cisco.ios.outcome | The result of the event | keyword | +| cisco.ios.pim.group.ip | Multicast group IP | ip | +| cisco.ios.pim.source.ip | Multicast source IP | ip | +| cisco.ios.session.number | Session ID | integer | +| cisco.ios.session.type | Session type | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic.agent.id | | keyword | +| elastic.agent.snapshot | | boolean | +| elastic.agent.version | | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| hostname | Hostname from syslog header. | keyword | +| icmp.code | ICMP code. | keyword | +| icmp.type | ICMP type. | keyword | +| igmp.type | IGMP type. | keyword | +| input.type | | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | | long | +| log.source.address | | keyword | +| log.syslog.hostname | Hostname parsed from syslog header. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| process.program | Process from syslog header. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cisco_ios/1.6.0/img/cisco.svg b/packages/cisco_ios/1.6.0/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_ios/1.6.0/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_ios/1.6.0/manifest.yml b/packages/cisco_ios/1.6.0/manifest.yml new file mode 100755 index 0000000000..66155027bb --- /dev/null +++ b/packages/cisco_ios/1.6.0/manifest.yml @@ -0,0 +1,34 @@ +format_version: 1.0.0 +name: cisco_ios +title: Cisco IOS +version: 1.6.0 +license: basic +description: Collect logs from Cisco IOS with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_ios + title: Cisco IOS logs + description: Collect logs from Cisco IOS instances + inputs: + - type: tcp + title: Collect logs from Cisco IOS via TCP + description: Collecting logs from Cisco IOS via TCP + - type: udp + title: Collect logs from Cisco IOS via UDP + description: Collecting logs from Cisco IOS via UDP + - type: logfile + title: Collect logs from Cisco IOS via file + description: Collecting logs from Cisco IOS via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_umbrella/0.7.0/changelog.yml b/packages/cisco_umbrella/0.7.0/changelog.yml new file mode 100755 index 0000000000..995b7d4c56 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/changelog.yml @@ -0,0 +1,66 @@ +# newer versions go on top +- version: "0.7.0" + changes: + - description: Add Audit Logs + type: enhancement + link: https://github.com/elastic/integrations/pull/3332 +- version: "0.6.1" + changes: + - description: Fix use of destination.ip instead of source.nat.ip in DNS logs + type: bugfix + link: https://github.com/elastic/integrations/pull/3218 +- version: "0.6.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "0.5.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.5.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2396 +- version: "0.4.0" + changes: + - description: Update config to support Cisco Managed S3 + type: bugfix + link: https://github.com/elastic/integrations/pull/2462 +- version: "0.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2269 +- version: "0.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1959 +- version: "0.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1810 +- version: "0.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1787 +- version: "0.1.0" + changes: + - description: Initial migration from Filebeat Module + type: enhancement + link: https://github.com/elastic/integrations/pull/1646 diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/agent/stream/aws-s3.yml.hbs b/packages/cisco_umbrella/0.7.0/data_stream/log/agent/stream/aws-s3.yml.hbs new file mode 100755 index 0000000000..13c48cb366 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/agent/stream/aws-s3.yml.hbs @@ -0,0 +1,70 @@ +{{#if queue_url}} +queue_url: {{queue_url}} +{{/if}} +{{#if bucket_arn}} +bucket_arn: {{bucket_arn}} +{{/if}} +{{#if bucket_list_prefix}} +bucket_list_prefix: {{bucket_list_prefix}}/ +{{/if}} +{{#if bucket_list_prefix}} +file_selectors: + - regex: {{bucket_list_prefix}}/dnslogs/.+ + - regex: {{bucket_list_prefix}}/proxylogs/.+ + - regex: {{bucket_list_prefix}}/cloudfirewalllogs/.+ + - regex: {{bucket_list_prefix}}/iplogs/.+ + - regex: {{bucket_list_prefix}}/auditlogs/.+ +{{/if}} +{{#if region}} +default_region: {{region}} +{{/if}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if fips_enabled}} +fips_enabled: {{fips_enabled}} +{{/if}} +{{#if number_of_workers}} +number_of_workers: {{number_of_workers}} +{{/if}} +{{#if bucket_list_interval}} +bucket_list_interval: {{bucket_list_interval}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/0.7.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..cadb340add --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,423 @@ +--- +description: Pipeline for Cisco Umbrella + +processors: + - set: + field: ecs.version + value: "8.2.0" + - set: + field: observer.vendor + value: Cisco + - set: + field: observer.product + value: Umbrella + - rename: + field: message + target_field: event.original + ############ + # DNS Logs # + ############ + - csv: + field: event.original + target_fields: + - cisco.umbrella._tmp.time + - user.name + - cisco.umbrella.identities + - source.address + - source.nat.ip + - cisco.umbrella.action + - dns.question.type + - dns.response_code + - dns.question.name + - cisco.umbrella.categories + - cisco.umbrella.policy_identity_type + - cisco.umbrella.identity_types + - cisco.umbrella.blocked_categories + if: ctx?.log?.file?.path.contains('dnslogs') + + - set: + field: observer.type + value: dns + if: ctx?.log?.file?.path.contains('dnslogs') + ########### + # IP Logs # + ########### + - csv: + field: event.original + target_fields: + - cisco.umbrella._tmp.time + - user.name + - source.address + - source.port + - destination.address + - destination.port + - cisco.umbrella.categories + if: ctx?.log?.file?.path.contains('iplogs') + + - set: + field: observer.type + value: firewall + if: ctx?.log?.file?.path.contains('iplogs') + + ############## + # Proxy Logs # + ############## + - csv: + field: event.original + target_fields: + - cisco.umbrella._tmp.time + - cisco.umbrella.computer_name + - cisco.umbrella.identities + - source.address + - source.nat.ip + - destination.address + - cisco.umbrella.content_type + - cisco.umbrella.verdict + - url.full + - http.request.referrer + - user_agent.original + - http.response.status_code + - http.request.bytes + - http.response.bytes + - http.response.body.bytes + - cisco.umbrella.sha_sha256 + - cisco.umbrella.categories + - cisco.umbrella.av_detections + - cisco.umbrella.puas + - cisco.umbrella.amp_disposition + - cisco.umbrella.amp_malware_name + - cisco.umbrella.amp_score + - cisco.umbrella.identity_types + - cisco.umbrella.blocked_categories + - cisco.umbrella.identity_types + - cisco.umbrella.request_method + - cisco.umbrella.dlp_status + - cisco.umbrella.certificate_errors + - cisco.umbrella.file_name + - cisco.umbrella.ruleset_id + - cisco.umbrella.rule_id + - cisco.umbrella.destination_lists_id + if: ctx?.log?.file?.path.contains('proxylogs') + + - set: + field: observer.type + value: proxy + if: ctx?.log?.file?.path.contains('proxylogs') + + ####################### + # Cloud Firewall Logs # + ####################### + - csv: + field: event.original + target_fields: + - cisco.umbrella._tmp.time + - cisco.umbrella.origin_id + - user.name + - cisco.umbrella.identity_types + - cisco.umbrella.direction + - network.transport + - source.bytes + - source.address + - source.port + - destination.address + - destination.port + - cisco.umbrella.datacenter + - cisco.umbrella.ruleid + - cisco.umbrella.verdict + if: ctx?.log?.file?.path.contains('cloudfirewalllogs') + + - set: + field: observer.type + value: firewall + if: ctx?.log?.file?.path.contains('cloudfirewalllogs') + + ####################### + # Audit Logs # + ####################### + - csv: + field: event.original + target_fields: + - event.id + - cisco.umbrella._tmp.time + - user.email + - user.name + - cisco.umbrella.audit.type + - event.action + - source.address + - cisco.umbrella.audit.before + - cisco.umbrella.audit.after + if: ctx?.log?.file?.path.contains('auditlogs') + + - uri_parts: + field: url.full + ignore_failure: true + if: ctx?.url?.full != null + + # Identifies is a field that includes any sort of username, device or other asset that is included in the request. + # Converting this to an array to make it easier to use in searches and visualizations + - split: + field: cisco.umbrella.identities + separator: "," + preserve_trailing: false + if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.identities != null" + + - split: + field: cisco.umbrella.categories + separator: "," + preserve_trailing: false + if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.categories != null" + - split: + field: cisco.umbrella.blocked_categories + separator: "," + preserve_trailing: false + if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.blocked_categories != null" + ###################### + # General ECS Fields # + ###################### + # This field is always in UTC, so no timezone should need to be set + - date: + field: cisco.umbrella._tmp.time + target_field: "@timestamp" + formats: + - "yyyy-MM-dd HH:mm:ss" + - ISO8601 + if: ctx?.cisco?.umbrella?._tmp?.time != null + ################## + # DNS ECS Fields # + ################## + - set: + field: dns.type + value: query + if: ctx?.cisco?.umbrella?.action != null + ###################### + # Network ECS Fields # + ###################### + - lowercase: + field: cisco.umbrella.direction + target_field: network.direction + if: ctx?.cisco?.umbrella?.direction != null + - convert: + field: source.bytes + type: long + if: ctx?.source?.bytes != null + - convert: + field: source.port + type: long + if: ctx?.source?.port != null + - convert: + field: destination.port + type: long + if: ctx?.destination?.port != null + ################### + # HTTP ECS Fields # + ################### + - convert: + field: http.request.bytes + type: long + if: ctx?.http?.request?.bytes != null + - convert: + field: http.response.bytes + type: long + if: ctx?.http?.response?.bytes != null + - convert: + field: http.response.status_code + type: long + if: ctx?.http?.response?.status_code != null + ################### + # Rule ECS Fields # + ################### + - rename: + field: cisco.umbrella.ruleid + target_field: rule.id + if: ctx?.cisco?.umbrella?.ruleid != null + + #################### + # Event ECS Fields # + #################### + - set: + field: event.action + value: "dns-request-{{cisco.umbrella.action}}" + if: ctx?.cisco?.umbrella?.action != null + - set: + field: event.category + value: network + if: "!ctx?.log?.file?.path.contains('auditlogs')" + - append: + field: event.type + value: allowed + if: "ctx?.cisco?.umbrella?.action == 'Allowed' || ['ALLOWED','ALLOW'].contains(ctx?.cisco?.umbrella?.verdict)" + - append: + field: event.type + value: denied + if: "ctx?.cisco?.umbrella?.action == 'Blocked' || ['BLOCKED','BLOCK'].contains(ctx?.cisco?.umbrella?.verdict)" + - append: + field: event.type + value: connection + if: ctx?.cisco?.umbrella?.action != null + - set: + field: event.category + value: configuration + if: "ctx?.log?.file?.path.contains('auditlogs')" + - append: + field: event.type + value: creation + if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'create'" + - append: + field: event.type + value: change + if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'update'" + - append: + field: event.type + value: deletion + if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'delete'" + # Converting address fields to either ip or domain + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + on_failure: + - set: + copy_from: source.address + field: source.domain + override: true + + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_missing: true + on_failure: + - set: + field: destination.domain + copy_from: destination.address + override: true + + # For nat, there's no address or domain subfield. + # If the value is not a valid IP, it must be removed + # or ingestion will fail. Probably just an empty value. + - convert: + field: source.nat.ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: source.nat.ip + + - community_id: + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + ###################### + # Related ECS Fields # + ###################### + - append: + field: related.user + value: "{{user.name}}" + if: ctx?.source?.user?.name != null + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: ctx?.source?.nat?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + if: ctx?.destination?.ip != null + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx?.source?.domain != null + - append: + field: related.hosts + value: "{{dns.question.name}}" + if: ctx?.dns?.question?.name != null + - append: + field: related.hash + value: "{{cisco.umbrella.sha_sha256}}" + if: ctx?.cisco?.umbrella?.sha_sha256 != null + - script: + if: ctx?.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List + lang: painless + description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user" + source: |- + void addRelatedUser(def ctx, def x) { + if (ctx?.related == null) { + Map map = new HashMap(); + ctx.put("related", map); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(x)) { + ctx.related.user.add(x); + } + } + for (cisco_identity in ctx.cisco.umbrella.identities) { + if (cisco_identity.contains('@')) { + addRelatedUser(ctx, cisco_identity); + } + } + + ########### + # Cleanup # + ########### + - remove: + field: + - cisco.umbrella._tmp + - cisco.umbrella.direction + - cisco.umbrella.action + - cisco.umbrella.verdict + ignore_missing: true + + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..1fb9b67d57 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/base-fields.yml @@ -0,0 +1,24 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_umbrella +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_umbrella.log +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..fbb3a4deb7 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/ecs.yml @@ -0,0 +1,406 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/fields/fields.yml b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..930527b81d --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/fields/fields.yml @@ -0,0 +1,108 @@ +- name: cisco.umbrella + type: group + description: > + Fields for Cisco Umbrella. + + fields: + - name: identities + type: keyword + description: > + An array of the different identities related to the event. + + - name: computer_name + type: keyword + description: > + The computer name related to the event. + + - name: categories + type: keyword + description: > + The security or content categories that the destination matches. + + - name: policy_identity_type + type: keyword + description: > + The first identity type matched with this request. Available in version 3 and above. + + - name: identity_types + type: keyword + description: > + The type of identity that made the request. For example, Roaming Computer or Network. + + - name: blocked_categories + type: keyword + description: > + The categories that resulted in the destination being blocked. Available in version 4 and above. + + - name: content_type + type: keyword + description: > + The type of web content, typically text/html. + + - name: sha_sha256 + type: keyword + description: > + Hex digest of the response content. + + - name: av_detections + type: keyword + description: > + The detection name according to the antivirus engine used in file inspection. + + - name: puas + type: keyword + description: > + A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. + + - name: amp_disposition + type: keyword + description: > + The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. + + - name: amp_malware_name + type: keyword + description: > + If Malicious, the name of the malware according to AMP. + + - name: amp_score + type: keyword + description: > + The score of the malware from AMP. This field is not currently used and will be blank. + + - name: datacenter + type: keyword + description: > + The name of the Umbrella Data Center that processed the user-generated traffic. + + - name: origin_id + type: keyword + description: > + The unique identity of the network tunnel. + + - name: identities + type: keyword + - name: identity_types + type: keyword + - name: request_method + type: keyword + - name: dlp_status + type: keyword + - name: certificate_errors + type: keyword + - name: file_name + type: keyword + - name: ruleset_id + type: keyword + - name: rule_id + type: keyword + - name: destination_lists_id + type: keyword + - name: audit.type + type: keyword + description: Where the change was made, such as settings or a policy. + - name: audit.before + type: keyword + description: The policy or setting before the change was made. + - name: audit.after + type: keyword + description: The policy or setting after the change was made. diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/manifest.yml b/packages/cisco_umbrella/0.7.0/data_stream/log/manifest.yml new file mode 100755 index 0000000000..9908a895a4 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/manifest.yml @@ -0,0 +1,148 @@ +title: Cisco Umbrella logs +release: experimental +type: logs +streams: + - input: aws-s3 + enabled: false + title: Cisco Umbrella logs + description: Collect Cisco Umbrella logs + template_path: aws-s3.yml.hbs + vars: + - name: queue_url + type: text + title: Queue URL + multi: false + required: false + show_user: true + description: URL of the AWS SQS queue that messages will be received from. For Cisco Managed S3 buckets or S3 without SQS, use Bucket ARN. + - name: bucket_arn + type: text + title: Bucket ARN + multi: false + required: false + show_user: true + description: >- + Required for Cisco Managed S3. If the S3 bucket does not use SQS, this is the address for the S3 bucket, one example is `arn:aws:s3:::cisco-managed-eu-central-1` For a list of Cisco Managed buckets, please see https://docs.umbrella.com/mssp-deployment/docs/enable-logging-to-a-cisco-managed-s3-bucket. + - name: region + type: text + title: Bucket Region + multi: false + required: false + show_user: true + description: >- + Required for Cisco Managed S3. The region the bucket is located in. + - name: bucket_list_prefix + type: text + title: Bucket List Prefix + multi: false + required: false + show_user: true + description: >- + Required for Cisco Managed S3. This sets the root folder of the S3 bucket that should be monitored, found in the S3 Web UI. Example value: `1235_654vcasd23431e5dd6f7fsad457sdf1fd5`. Forward slash at the end required for Cisco Managed S3. + - name: number_of_workers + type: text + title: Number of Workers + multi: false + required: false + show_user: true + default: 1 + description: Required for Cisco Managed S3. Number of workers that will process the S3 objects listed. Minimum is 1. + - name: bucket_list_interval + type: text + title: Bucket List Interval + multi: false + required: false + show_user: true + description: Time interval for polling listing of the S3 bucket. Defaults to 120s. + - name: shared_credential_file + type: text + title: Shared Credential File + multi: false + required: false + show_user: false + description: Directory of the shared credentials file. + - name: credential_profile_name + type: text + title: Credential Profile Name + multi: false + required: false + show_user: false + - name: access_key_id + type: text + title: Access Key ID + multi: false + required: false + show_user: true + - name: secret_access_key + type: text + title: Secret Access Key + multi: false + required: false + show_user: true + - name: session_token + type: text + title: Session Token + multi: false + required: false + show_user: true + - name: role_arn + type: text + title: Role ARN + multi: false + required: false + show_user: false + - name: endpoint + type: text + title: Endpoint + multi: false + required: false + show_user: false + default: "amazonaws.com" + description: URL of the entry point for an AWS web service. + - name: visibility_timeout + type: text + title: Visibility Timeout + multi: false + required: false + show_user: false + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. + - name: api_timeout + type: text + title: API Timeout + multi: false + required: false + show_user: false + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. + - name: fips_enabled + type: bool + title: Enable S3 FIPS + default: false + multi: false + required: false + show_user: false + description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-umbrella + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_umbrella/0.7.0/data_stream/log/sample_event.json b/packages/cisco_umbrella/0.7.0/data_stream/log/sample_event.json new file mode 100755 index 0000000000..f2356b0269 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/data_stream/log/sample_event.json @@ -0,0 +1,97 @@ +{ + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "address": "8.8.8.8", + "ip": "8.8.8.8" + }, + "source": { + "nat": { + "ip": "1.1.1.1" + }, + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, + "url": { + "path": "/blog/ext_id=Anyclip", + "original": "https://elastic.co/blog/ext_id=Anyclip", + "scheme": "https", + "domain": "elastic.co", + "full": "https://elastic.co/blog/ext_id=Anyclip" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "type": "proxy", + "product": "Umbrella", + "vendor": "Cisco" + }, + "@timestamp": "2020-07-23T23:48:56.000Z", + "ecs": { + "version": "8.2.0" + }, + "related": { + "hash": [ + "" + ], + "ip": [ + "192.168.1.1", + "1.1.1.1", + "8.8.8.8" + ] + }, + "http": { + "request": { + "referrer": "https://google.com/elastic", + "bytes": 850 + }, + "response": { + "status_code": 200 + } + }, + "event": { + "ingested": "2021-09-13T00:16:24.480432923Z", + "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", + "category": "network", + "type": [ + "allowed" + ] + }, + "cisco": { + "umbrella": { + "amp_score": "", + "puas": "Malicious", + "identities": [ + "someotheruser" + ], + "content_type": "", + "identity_types": "Roaming Computers", + "blocked_categories": "", + "sha_sha256": "", + "amp_disposition": "MalwareName", + "categories": "Business Services", + "av_detections": "AVDetectionName", + "amp_malware_name": "" + } + }, + "user": { + "name": "elasticuser" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" + } +} \ No newline at end of file diff --git a/packages/cisco_umbrella/0.7.0/docs/README.md b/packages/cisco_umbrella/0.7.0/docs/README.md new file mode 100755 index 0000000000..10abae0590 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/docs/README.md @@ -0,0 +1,276 @@ +# Cisco Umbrella Integration + +This integration is for Cisco Umbrella . It includes the following +datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS: + +- `log` dataset: supports Cisco Umbrella logs. + +## Logs + +### Umbrella + +When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically. + +The `log` dataset collects Cisco Umbrella logs. + +An example event for `log` looks as following: + +```json +{ + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "address": "8.8.8.8", + "ip": "8.8.8.8" + }, + "source": { + "nat": { + "ip": "1.1.1.1" + }, + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, + "url": { + "path": "/blog/ext_id=Anyclip", + "original": "https://elastic.co/blog/ext_id=Anyclip", + "scheme": "https", + "domain": "elastic.co", + "full": "https://elastic.co/blog/ext_id=Anyclip" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "type": "proxy", + "product": "Umbrella", + "vendor": "Cisco" + }, + "@timestamp": "2020-07-23T23:48:56.000Z", + "ecs": { + "version": "8.2.0" + }, + "related": { + "hash": [ + "" + ], + "ip": [ + "192.168.1.1", + "1.1.1.1", + "8.8.8.8" + ] + }, + "http": { + "request": { + "referrer": "https://google.com/elastic", + "bytes": 850 + }, + "response": { + "status_code": 200 + } + }, + "event": { + "ingested": "2021-09-13T00:16:24.480432923Z", + "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", + "category": "network", + "type": [ + "allowed" + ] + }, + "cisco": { + "umbrella": { + "amp_score": "", + "puas": "Malicious", + "identities": [ + "someotheruser" + ], + "content_type": "", + "identity_types": "Roaming Computers", + "blocked_categories": "", + "sha_sha256": "", + "amp_disposition": "MalwareName", + "categories": "Business Services", + "av_detections": "AVDetectionName", + "amp_malware_name": "" + } + }, + "user": { + "name": "elasticuser" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword | +| cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword | +| cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword | +| cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword | +| cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword | +| cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword | +| cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword | +| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword | +| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword | +| cisco.umbrella.certificate_errors | | keyword | +| cisco.umbrella.computer_name | The computer name related to the event. | keyword | +| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword | +| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword | +| cisco.umbrella.destination_lists_id | | keyword | +| cisco.umbrella.dlp_status | | keyword | +| cisco.umbrella.file_name | | keyword | +| cisco.umbrella.identities | | keyword | +| cisco.umbrella.identity_types | | keyword | +| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword | +| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword | +| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword | +| cisco.umbrella.request_method | | keyword | +| cisco.umbrella.rule_id | | keyword | +| cisco.umbrella.ruleset_id | | keyword | +| cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/cisco_umbrella/0.7.0/img/cisco.svg b/packages/cisco_umbrella/0.7.0/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_umbrella/0.7.0/manifest.yml b/packages/cisco_umbrella/0.7.0/manifest.yml new file mode 100755 index 0000000000..e8cf60233b --- /dev/null +++ b/packages/cisco_umbrella/0.7.0/manifest.yml @@ -0,0 +1,28 @@ +format_version: 1.0.0 +name: cisco_umbrella +title: Cisco Umbrella +version: 0.7.0 +license: basic +description: Collect logs from Cisco Umbrella with Elastic Agent. +type: integration +categories: + - network + - security +release: experimental +conditions: + kibana.version: "^8.0.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_umbrella + title: Cisco Umbrella logs + description: Collect logs from Cisco Umbrella instances + inputs: + - type: aws-s3 + title: Collect logs from Cisco Umbrella + description: Collecting logs from Cisco Umbrella +owner: + github: elastic/security-external-integrations diff --git a/packages/crowdstrike/1.3.2/changelog.yml b/packages/crowdstrike/1.3.2/changelog.yml new file mode 100755 index 0000000000..4a54da87b9 --- /dev/null +++ b/packages/crowdstrike/1.3.2/changelog.yml @@ -0,0 +1,161 @@ +# newer versions go on top +- version: "1.3.2" + changes: + - description: Format source.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3302 +- version: "1.3.1" + changes: + - description: Update readme file. Added link to CrowdStrike docs + type: enhancement + link: https://github.com/elastic/integrations/pull/3057 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.2.7" + changes: + - description: Move invalid field value + type: enhancement + link: https://github.com/elastic/integrations/pull/3098 +- version: "1.2.6" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.5" + changes: + - description: Add date parsing for BiosReleaseDate field. + type: bugfix + link: https://github.com/elastic/integrations/pull/2867 +- version: "1.2.4" + changes: + - description: Add missing field mapping for several event and host fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/2869 +- version: "1.2.3" + changes: + - description: Change type of 'fdr_parsing_script' variable to 'yaml' so that the multi-line string creates a valid YAML config document. + type: bugfix + link: https://github.com/elastic/integrations/pull/2701 +- version: "1.2.2" + changes: + - description: Add Ingest Pipeline script to map IANA Protocol Numbers + type: bugfix + link: https://github.com/elastic/integrations/pull/2470 +- version: "1.2.1" + changes: + - description: Fix issue with "Is FDR Queue" selector having no effect. + type: bugfix + link: https://github.com/elastic/integrations/pull/2653 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2398 +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2229 +- version: "1.0.4" + changes: + - description: Add ability to read from both FDR provided and user owned SQS queues for FDR. + type: bugfix + link: https://github.com/elastic/integrations/pull/2198 + - description: Pipeline fixes for FDR + type: bugfix + link: https://github.com/elastic/integrations/pull/2198 +- version: "1.0.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: | + https://github.com/elastic/integrations/pull/2022 +- version: "1.0.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1961 +- version: "1.0.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1812 +- version: '1.0.0' + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1630 +- version: "0.9.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1655 +- version: "0.8.1" + changes: + - description: Add proxy config + type: enhancement + link: https://github.com/elastic/integrations/pull/1648 +- version: "0.8.0" + changes: + - description: Add FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/1522 + - description: Change Falcon ECS fields definition to use references + type: enhancement + link: https://github.com/elastic/integrations/pull/1522 + - description: Add cleanup processor to Falcon + type: enhancement + link: https://github.com/elastic/integrations/pull/1522 +- version: '0.7.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1378 +- version: "0.7.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.6.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1258 +- version: "0.5.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1036 +- version: "0.4.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/841 +- version: "0.4.0" + changes: + - description: Moves edge processing to ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/774 +- version: "0.3.1" + changes: + - description: Change kibana.version constraint to be more conservative. + type: bugfix + link: https://github.com/elastic/integrations/pull/749 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/182 diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/agent/stream/log.yml.hbs b/packages/crowdstrike/1.3.2/data_stream/falcon/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..79e1726037 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/agent/stream/log.yml.hbs @@ -0,0 +1,25 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +# Crowdstrike Falcon SIEM connector logs are multiline JSON by default +multiline.pattern: '^{' +multiline.negate: true +multiline.match: after +multiline.max_lines: 5000 +multiline.timeout: 10 +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml new file mode 100755 index 0000000000..1469046543 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml @@ -0,0 +1,32 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [authentication] + - append: + field: event.type + value: [change] + - convert: + field: crowdstrike.event.ServiceName + type: string + target_field: message + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserIp + target_field: source.ip + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" + - script: + lang: painless + source: | + def regex = /([a-z0-9])([A-Z])/; + def replacement = "$1_$2"; + def action = ctx?.crowdstrike?.event?.OperationName; + if (action == null || action == "") return; + ctx["event.action"] = regex.matcher(action).replaceAll(replacement).toLowerCase(); diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..2a94af718b --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,423 @@ +--- +description: Ingest pipeline for normalizing CrowdStrike Falcon logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: crowdstrike + - remove: + field: + - host.name + ignore_missing: true + - remove: + field: crowdstrike.event.ProcessStartTime + ignore_missing: true + if: ctx?.crowdstrike?.event?.ProcessStartTime == 0 + - date: + field: crowdstrike.event.ProcessStartTime + target_field: crowdstrike.event.ProcessStartTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessStartTime != null && + !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) >= 12 + - remove: + field: crowdstrike.event.ProcessEndTime + ignore_missing: true + if: ctx?.crowdstrike?.event?.ProcessEndTime == 0 + - date: + field: crowdstrike.event.ProcessEndTime + target_field: crowdstrike.event.ProcessEndTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessEndTime != null && + !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) >= 12 + - remove: + field: crowdstrike.event.IncidentStartTime + ignore_missing: true + if: ctx?.crowdstrike?.event?.IncidentStartTime == 0 + - date: + field: crowdstrike.event.IncidentStartTime + target_field: crowdstrike.event.IncidentStartTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentStartTime != null && + !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) >= 12 + - remove: + field: crowdstrike.event.IncidentEndTime + ignore_missing: true + if: ctx?.crowdstrike?.event?.IncidentEndTime == 0 + - date: + field: crowdstrike.event.IncidentEndTime + target_field: crowdstrike.event.IncidentEndTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentEndTime != null && + !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) >= 12 + - remove: + field: crowdstrike.event.StartTimestamp + ignore_missing: true + if: ctx?.crowdstrike?.event?.StartTimestamp == 0 + - date: + field: crowdstrike.event.StartTimestamp + target_field: crowdstrike.event.StartTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.StartTimestamp != null && + !(ctx.crowdstrike.event.StartTimestamp instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) >= 12 + - remove: + field: crowdstrike.event.EndTimestamp + ignore_missing: true + if: ctx?.crowdstrike?.event?.EndTimestamp == 0 + - date: + field: crowdstrike.event.EndTimestamp + target_field: crowdstrike.event.EndTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.EndTimestamp != null && + !(ctx.crowdstrike.event.EndTimestamp instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) >= 12 + - remove: + field: crowdstrike.event.UTCTimestamp + ignore_missing: true + if: ctx?.crowdstrike?.event?.UTCTimestamp == 0 + - date: + field: crowdstrike.event.UTCTimestamp + target_field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.UTCTimestamp != null && + !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) >= 12 + - remove: + field: crowdstrike.metadata.eventCreationTime + ignore_missing: true + if: ctx?.crowdstrike?.metadata?.eventCreationTime == 0 + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: crowdstrike.metadata.eventCreationTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.metadata?.eventCreationTime != null && + !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) >= 12 + - date: + field: crowdstrike.event.ProcessStartTime + target_field: crowdstrike.event.ProcessStartTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessStartTime != null && + !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) < 12 + - date: + field: crowdstrike.event.ProcessEndTime + target_field: crowdstrike.event.ProcessEndTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessEndTime != null && + !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) < 12 + - date: + field: crowdstrike.event.IncidentStartTime + target_field: crowdstrike.event.IncidentStartTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentStartTime != null && + !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) < 12 + - date: + field: crowdstrike.event.IncidentEndTime + target_field: crowdstrike.event.IncidentEndTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentEndTime != null && + !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) < 12 + - date: + field: crowdstrike.event.StartTimestamp + target_field: crowdstrike.event.StartTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.StartTimestamp != null && + !(ctx.crowdstrike.event.StartTimestamp instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) < 12 + - date: + field: crowdstrike.event.EndTimestamp + target_field: crowdstrike.event.EndTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.EndTimestamp != null && + !(ctx.crowdstrike.event.EndTimestamp instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) < 12 + - date: + field: crowdstrike.event.UTCTimestamp + target_field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.UTCTimestamp != null && + !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && + (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) < 12 + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: crowdstrike.metadata.eventCreationTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.metadata?.eventCreationTime != null && + !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && + (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) < 12 + - set: + field: event.outcome + value: success + if: ctx?.crowdstrike?.event?.Success == true + - set: + field: event.outcome + value: failure + if: ctx?.crowdstrike?.event?.Success == false + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + - convert: + field: crowdstrike.metadata.eventCreationTime + target_field: "@timestamp" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.LateralMovement + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.LocalPort + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.MatchCount + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.MatchCountSinceLastReport + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.PID + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.RemotePort + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: source.port + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: destination.port + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.UserName + target_field: user.name + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.UserId + target_field: user.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.user?.name == null || ctx?.user?.name == "" + - set: + field: user.email + value: "{{user.name}}" + ignore_empty_value: true + ignore_failure: true + if: ctx?.user?.name != null && /@/.split(ctx.user.name).length == 2 + - script: + lang: painless + source: | + def commandLine = ctx?.crowdstrike?.event?.CommandLine; + if (commandLine != null) { + + commandLine = commandLine.trim(); + + if (commandLine != "") { + def args = Arrays.asList(/ /.split(commandLine)); + args.removeIf(arg -> arg == ""); + + ctx["process.command_line"] = commandLine; + ctx["process.args"] = args; + ctx["process.executable"] = args.get(0); + } + } + - pipeline: + name: '{{ IngestPipeline "detection_summary" }}' + if: ctx?.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "incident_summary" }}' + if: ctx?.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "user_activity_audit" }}' + if: ctx?.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent" + - pipeline: + name: '{{ IngestPipeline "auth_activity_audit" }}' + if: ctx?.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent" + - pipeline: + name: '{{ IngestPipeline "firewall_match" }}' + if: ctx?.crowdstrike?.metadata?.eventType == "FirewallMatchEvent" + - pipeline: + name: '{{ IngestPipeline "remote_response_session_start" }}' + if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent" + - pipeline: + name: '{{ IngestPipeline "remote_response_session_end" }}' + if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" + - script: + lang: painless + if: ctx?.crowdstrike?.event != null + params: + values: + - null + - '' + - '-' + - 'N/A' + - 'NA' + - 0 + source: | + ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + if: ctx?.crowdstrike?.metadata != null + params: + values: + - null + - '' + - '-' + - 'N/A' + - 'NA' + source: | + ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - append: + field: related.user + value: "{{user.name}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.user?.name != null && ctx?.user?.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.source?.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" + - append: + field: related.hosts + value: "{{host.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.host?.name != null && ctx?.host?.name != "" + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml new file mode 100755 index 0000000000..22bebe784e --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml @@ -0,0 +1,161 @@ +--- +processors: + - set: + field: event.kind + value: alert + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - set: + field: agent.type + value: falcon + - convert: + field: crowdstrike.event.LocalIP + target_field: source.ip + type: string + ignore_failure: true + ignore_missing: true + if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" + - convert: + field: crowdstrike.event.ProcessId + target_field: process.pid + ignore_failure: true + type: long + ignore_missing: true + - convert: + field: crowdstrike.event.ParentImageFileName + target_field: process.parent.executable + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.ParentCommandLine + target_field: process.parent.command_line + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.PatternDispositionDescription + target_field: event.action + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.FalconHostLink + target_field: event.url + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.Severity + target_field: event.severity + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.DetectDescription + target_field: message + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.FileName + target_field: process.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserName + target_field: user.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.MachineDomain + target_field: user.domain + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.SensorId + target_field: agent.id + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.ComputerName + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.SHA256String + target_field: file.hash.sha256 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.sha256}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.sha256 != null && ctx?.file?.hash?.sha256 != "" && !(/^0+$/.matcher(ctx.file.hash.sha256).matches()) + - convert: + field: crowdstrike.event.MD5String + target_field: file.hash.md5 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.md5}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.md5 != null && ctx?.file?.hash?.md5 != "" && !(/^0+$/.matcher(ctx.file.hash.md5).matches()) + - convert: + field: crowdstrike.event.SHA1String + target_field: file.hash.sha1 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.sha1}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.sha1 != null && ctx?.file?.hash?.sha1 != "" && !(/^0+$/.matcher(ctx.file.hash.sha1).matches()) + - convert: + field: crowdstrike.event.DetectName + target_field: rule.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.DetectDescription + target_field: rule.description + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.Technique + target_field: threat.technique.name + type: string + ignore_failure: true + ignore_missing: true + - lowercase: + field: threat.technique.name + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.Tactic + target_field: threat.tactic.name + type: string + ignore_failure: true + ignore_missing: true + - lowercase: + field: threat.tactic.name + ignore_missing: true + ignore_failure: true diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml new file mode 100755 index 0000000000..28dac8ccd0 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml @@ -0,0 +1,135 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network] + - append: + field: event.action + value: [firewall_match_event] + - append: + field: event.type + value: [start, connection] + - set: + field: message + value: "Firewall Rule '{{crowdstrike.event.RuleName}}' triggered" + if: ctx?.crowdstrike?.event?.RuleName != null + ignore_failure: true + - convert: + field: "crowdstrike.event.Ipv" + target_field: "network.type" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.PID" + target_field: "process.pid" + ignore_failure: true + ignore_missing: true + type: "long" + - convert: + field: "crowdstrike.event.RuleId" + target_field: "rule.id" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleName" + target_field: "rule.name" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleGroupName" + target_field: "rule.ruleset" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleDescription" + target_field: "rule.description" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleFamilyID" + target_field: "rule.category" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.HostName" + target_field: "host.name" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.Ipv" + target_field: "network.type" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.EventType" + target_field: "event.code" + type: string + ignore_missing: true + ignore_failure: true + - set: + field: network.direction + value: ingress + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: source.ip + value: "{{crowdstrike.event.RemoteAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - convert: + field: crowdstrike.event.RemotePort + target_field: source.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: destination.ip + value: "{{crowdstrike.event.LocalAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - convert: + field: crowdstrike.event.LocalPort + target_field: destination.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: network.direction + value: ingress + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - set: + field: destination.ip + value: "{{crowdstrike.event.RemoteAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - convert: + field: crowdstrike.event.RemotePort + target_field: destination.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - set: + field: source.ip + value: "{{crowdstrike.event.LocalAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - convert: + field: crowdstrike.event.LocalPort + target_field: source.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml new file mode 100755 index 0000000000..667222dc79 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml @@ -0,0 +1,27 @@ +--- +processors: + - set: + field: event.kind + value: alert + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - set: + field: event.action + value: incident + - set: + field: agent.type + value: falcon + - convert: + field: crowdstrike.event.FalconHostLink + target_field: event.url + type: string + ignore_failure: true + ignore_missing: true + - set: + field: message + value: "Incident score {{crowdstrike.event.FineScore}}" + if: ctx?.crowdstrike?.event?.FineScore != null diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml new file mode 100755 index 0000000000..7415f62e1d --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml @@ -0,0 +1,23 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network, session] + - append: + field: event.action + value: [remote_response_session_end_event] + - append: + field: event.type + value: [end] + - set: + field: message + value: Remote response session ended. + - convert: + field: crowdstrike.event.HostnameField + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml new file mode 100755 index 0000000000..d965bd8ac7 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml @@ -0,0 +1,23 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network, session] + - append: + field: event.action + value: [remote_response_session_start_event] + - append: + field: event.type + value: [start] + - set: + field: message + value: Remote response session started. + - convert: + field: crowdstrike.event.HostnameField + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml new file mode 100755 index 0000000000..7d03e0115b --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml @@ -0,0 +1,27 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [iam] + - append: + field: event.type + value: [change] + - set: + field: event.action + value: user_activity_audit_event + - convert: + field: crowdstrike.event.OperationName + target_field: message + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserIp + target_field: source.ip + type: string + ignore_failure: true + ignore_missing: true + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/fields/agent.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/agent.yml new file mode 100755 index 0000000000..5c9e2055ad --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/agent.yml @@ -0,0 +1,190 @@ +- description: Fields related to the cloud or infrastructure the events are coming from. + fields: + - description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + example: 666777888999 + ignore_above: 1024 + level: extended + name: account.id + type: keyword + - description: Availability zone in which this host is running. + example: us-east-1c + ignore_above: 1024 + level: extended + name: availability_zone + type: keyword + - description: Instance ID of the host machine. + example: i-1234567890abcdef0 + ignore_above: 1024 + level: extended + name: instance.id + type: keyword + - description: Instance name of the host machine. + ignore_above: 1024 + level: extended + name: instance.name + type: keyword + - description: Machine type of the host machine. + example: t2.medium + ignore_above: 1024 + level: extended + name: machine.type + type: keyword + - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + ignore_above: 1024 + level: extended + name: provider + type: keyword + - description: Region in which this host is running. + example: us-east-1 + ignore_above: 1024 + level: extended + name: region + type: keyword + - description: Name of the project in Google Cloud. + name: project.id + type: keyword + - description: Image ID for the cloud instance. + name: image.id + type: keyword + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + group: 2 + name: cloud + title: Cloud + type: group +- description: |- + Container fields are used for meta information about the specific container that is the source of information. + These fields help correlate data based containers from any runtime. + fields: + - description: Unique container id. + name: id + type: keyword + - description: Name of the image the container was built on. + ignore_above: 1024 + level: extended + name: image.name + type: keyword + - description: Image labels. + level: extended + name: labels + object_type: keyword + type: object + - description: Container name. + ignore_above: 1024 + level: extended + name: name + type: keyword + group: 2 + name: container + title: Container + type: group +- description: |- + A host is defined as a general computing instance. + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + fields: + - description: Operating system architecture. + example: x86_64 + ignore_above: 1024 + level: core + name: architecture + type: keyword + - default_field: false + description: |- + Name of the domain of which the host is a member. + For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + example: CONTOSO + ignore_above: 1024 + level: extended + name: domain + type: keyword + - description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + ignore_above: 1024 + level: core + name: hostname + type: keyword + - description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + ignore_above: 1024 + level: core + name: id + type: keyword + - description: Host ip addresses. + level: core + name: ip + type: ip + - description: Host mac addresses. + ignore_above: 1024 + level: core + name: mac + type: keyword + - description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: name + type: keyword + - description: OS family (such as redhat, debian, freebsd, windows). + example: debian + ignore_above: 1024 + level: extended + name: os.family + type: keyword + - description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + ignore_above: 1024 + level: extended + name: os.kernel + type: keyword + - description: Operating system name, without the version. + example: Mac OS X + ignore_above: 1024 + level: extended + multi_fields: + - default_field: false + name: text + norms: false + type: text + name: os.name + type: keyword + - description: Operating system platform (such centos, ubuntu, windows). + example: darwin + ignore_above: 1024 + level: extended + name: os.platform + type: keyword + - description: Operating system version as a raw string. + example: 10.14.1 + ignore_above: 1024 + level: extended + name: os.version + type: keyword + - description: |- + Type of host. + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + ignore_above: 1024 + level: core + name: type + type: keyword + - description: | + If the host is a container. + name: containerized + type: boolean + - description: | + OS build information. + example: 18D109 + name: os.build + type: keyword + - description: | + OS codename, if any. + example: stretch + name: os.codename + type: keyword + group: 2 + name: host + title: Host + type: group diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/fields/base-fields.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/base-fields.yml new file mode 100755 index 0000000000..8248c071b3 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: crowdstrike +- name: event.dataset + type: constant_keyword + description: Event dataset + value: crowdstrike.falcon +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/fields/beats.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/beats.yml new file mode 100755 index 0000000000..986a819b29 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/beats.yml @@ -0,0 +1,14 @@ +- description: Type of Filebeat input. + name: input.type + type: keyword +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset + type: long +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/fields/ecs.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/ecs.yml new file mode 100755 index 0000000000..5a7c547c56 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/ecs.yml @@ -0,0 +1,229 @@ +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + type: keyword +- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + name: threat.tactic.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Custom name of the agent. + This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. + If no name is given, the name is often left empty. + name: agent.name + type: keyword +- description: |- + Unique identifier of this agent (if one exists). + Example: For Beats this would be beat.id. + name: agent.id + type: keyword +- description: |- + Type of the agent. + The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + name: agent.type + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/fields/fields.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/fields.yml new file mode 100755 index 0000000000..f8b93a2aaf --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/fields/fields.yml @@ -0,0 +1,399 @@ +- name: crowdstrike.metadata + title: Metadata fields + type: group + fields: + - name: eventType + type: keyword + description: | + DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + - name: eventCreationTime + type: date + description: | + The time this event occurred on the endpoint in UTC UNIX_MS format. + - name: offset + type: integer + description: | + Offset number that tracks the location of the event in stream. This is used to identify unique detection events. + - name: customerIDString + type: keyword + description: | + Customer identifier + - name: version + type: keyword + description: | + Schema version +- name: crowdstrike.event + title: Event fields + type: group + fields: + - name: ProcessStartTime + type: date + description: | + The process start time in UTC UNIX_MS format. + - name: ProcessEndTime + type: date + description: | + The process termination time in UTC UNIX_MS format. + - name: ProcessId + type: integer + description: | + Process ID related to the detection. + - name: ParentProcessId + type: integer + description: | + Parent process ID related to the detection. + - name: ComputerName + type: keyword + description: | + Name of the computer where the detection occurred. + - name: UserName + type: keyword + description: | + User name associated with the detection. + - name: DetectName + type: keyword + description: | + Name of the detection. + - name: DetectDescription + type: keyword + description: | + Description of the detection. + - name: Severity + type: integer + description: | + Severity score of the detection. + - name: SeverityName + type: keyword + description: | + Severity score text. + - name: FileName + type: keyword + description: | + File name of the associated process for the detection. + - name: FilePath + type: keyword + description: | + Path of the executable associated with the detection. + - name: CommandLine + type: keyword + description: | + Executable path with command line arguments. + - name: SHA1String + type: keyword + description: | + SHA1 sum of the executable associated with the detection. + - name: SHA256String + type: keyword + description: | + SHA256 sum of the executable associated with the detection. + - name: MD5String + type: keyword + description: | + MD5 sum of the executable associated with the detection. + - name: MachineDomain + type: keyword + description: | + Domain for the machine associated with the detection. + - name: FalconHostLink + type: keyword + description: | + URL to view the detection in Falcon. + - name: SensorId + type: keyword + description: | + Unique ID associated with the Falcon sensor. + - name: DetectId + type: keyword + description: | + Unique ID associated with the detection. + - name: LocalIP + type: keyword + description: | + IP address of the host associated with the detection. + - name: MACAddress + type: keyword + description: | + MAC address of the host associated with the detection. + - name: Tactic + type: keyword + description: | + MITRE tactic category of the detection. + - name: Technique + type: keyword + description: | + MITRE technique category of the detection. + - name: Objective + type: keyword + description: | + Method of detection. + - name: PatternDispositionDescription + type: keyword + description: | + Action taken by Falcon. + - name: PatternDispositionValue + type: integer + description: | + Unique ID associated with action taken. + - name: PatternDispositionFlags + type: group + description: | + Flags indicating actions taken. + fields: + - name: Detect + type: boolean + - name: InddetMask + type: boolean + - name: Indicator + type: boolean + - name: KillParent + type: boolean + - name: KillProcess + type: boolean + - name: KillSubProcess + type: boolean + - name: OperationBlocked + type: boolean + - name: PolicyDisabled + type: boolean + - name: ProcessBlocked + type: boolean + - name: QuarantineFile + type: boolean + - name: QuarantineMachine + type: boolean + - name: Rooting + type: boolean + - name: SensorOnly + type: boolean + - name: BootupSafeguardEnabled + type: boolean + - name: CriticalProcessDisabled + type: boolean + - name: FsOperationBlocked + type: boolean + - name: RegistryOperationBlocked + type: boolean + - name: State + type: keyword + description: | + Whether the incident summary is open and ongoing or closed. + - name: IncidentStartTime + type: date + description: | + Start time for the incident in UTC UNIX format. + - name: IncidentEndTime + type: date + description: | + End time for the incident in UTC UNIX format. + - name: FineScore + type: float + description: | + Score for incident. + - name: UserId + type: keyword + description: | + Email address or user ID associated with the event. + - name: UserIp + type: keyword + description: | + IP address associated with the user. + - name: OperationName + type: keyword + description: | + Event subtype. + - name: ServiceName + type: keyword + description: | + Service associated with this event. + - name: Success + type: boolean + description: | + Indicator of whether or not this event was successful. + - name: UTCTimestamp + type: date + description: | + Timestamp associated with this event in UTC UNIX format. + - name: AuditKeyValues + type: nested + description: | + Fields that were changed in this event. + - name: ExecutablesWritten + type: nested + description: | + Detected executables written to disk by a process. + - name: SessionId + type: keyword + description: | + Session ID of the remote response session. + - name: HostnameField + type: keyword + description: | + Host name of the machine for the remote session. + - name: StartTimestamp + type: date + description: | + Start time for the remote session in UTC UNIX format. + - name: EndTimestamp + type: date + description: | + End time for the remote session in UTC UNIX format. + - name: LateralMovement + type: long + description: | + Lateral movement field for incident. + - name: ParentImageFileName + type: keyword + description: | + Path to the parent process. + - name: ParentCommandLine + type: keyword + description: | + Parent process command line arguments. + - name: GrandparentImageFileName + type: keyword + description: | + Path to the grandparent process. + - name: GrandparentCommandLine + type: keyword + description: | + Grandparent process command line arguments. + - name: IOCType + type: keyword + description: | + CrowdStrike type for indicator of compromise. + - name: IOCValue + type: keyword + description: | + CrowdStrike value for indicator of compromise. + - name: CustomerId + type: keyword + description: | + Customer identifier. + - name: DeviceId + type: keyword + description: | + Device on which the event occurred. + - name: Ipv + type: keyword + description: | + Protocol for network request. + - name: ConnectionDirection + type: keyword + description: | + Direction for network connection. + - name: EventType + type: keyword + description: | + CrowdStrike provided event type. + - name: HostName + type: keyword + description: | + Host name of the local machine. + - name: ICMPCode + type: keyword + description: | + RFC2780 ICMP Code field. + - name: ICMPType + type: keyword + description: | + RFC2780 ICMP Type field. + - name: ImageFileName + type: keyword + description: | + File name of the associated process for the detection. + - name: PID + type: long + description: | + Associated process id for the detection. + - name: LocalAddress + type: ip + description: | + IP address of local machine. + - name: LocalPort + type: long + description: | + Port of local machine. + - name: RemoteAddress + type: ip + description: | + IP address of remote machine. + - name: RemotePort + type: long + description: | + Port of remote machine. + - name: RuleAction + type: keyword + description: | + Firewall rule action. + - name: RuleDescription + type: keyword + description: | + Firewall rule description. + - name: RuleFamilyID + type: keyword + description: | + Firewall rule family id. + - name: RuleGroupName + type: keyword + description: | + Firewall rule group name. + - name: RuleName + type: keyword + description: | + Firewall rule name. + - name: RuleId + type: keyword + description: | + Firewall rule id. + - name: MatchCount + type: long + description: | + Number of firewall rule matches. + - name: MatchCountSinceLastReport + type: long + description: | + Number of firewall rule matches since the last report. + - name: Timestamp + type: date + description: | + Firewall rule triggered timestamp. + - name: Flags.Audit + type: boolean + description: | + CrowdStrike audit flag. + - name: Flags.Log + type: boolean + description: | + CrowdStrike log flag. + - name: Flags.Monitor + type: boolean + description: | + CrowdStrike monitor flag. + - name: Protocol + type: keyword + description: | + CrowdStrike provided protocol. + - name: NetworkProfile + type: keyword + description: | + CrowdStrike network profile. + - name: PolicyName + type: keyword + description: | + CrowdStrike policy name. + - name: PolicyID + type: keyword + description: | + CrowdStrike policy id. + - name: Status + type: keyword + description: | + CrowdStrike status. + - name: TreeID + type: keyword + description: | + CrowdStrike tree id. + - name: Commands + type: keyword + description: | + Commands run in a remote session. diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/manifest.yml b/packages/crowdstrike/1.3.2/data_stream/falcon/manifest.yml new file mode 100755 index 0000000000..29fc804f02 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/manifest.yml @@ -0,0 +1,42 @@ +type: logs +title: Crowdstrike falcon logs +streams: + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/crowdstrike/falconhoseclient/output + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - crowdstrike-falcon + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Crowdstrike falcon logs (log) + description: Collect Crowdstrike falcon logs using log input diff --git a/packages/crowdstrike/1.3.2/data_stream/falcon/sample_event.json b/packages/crowdstrike/1.3.2/data_stream/falcon/sample_event.json new file mode 100755 index 0000000000..b2a82f11fc --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/falcon/sample_event.json @@ -0,0 +1,109 @@ +{ + "@timestamp": "2020-02-12T21:29:10.710Z", + "agent": { + "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "crowdstrike": { + "event": { + "AuditKeyValues": [ + { + "Key": "APIClientID", + "ValueString": "1234567890abcdefghijklmnopqr" + }, + { + "Key": "partition", + "ValueString": "0" + }, + { + "Key": "offset", + "ValueString": "-1" + }, + { + "Key": "appId", + "ValueString": "siem-connector-v2.0.0" + }, + { + "Key": "eventType", + "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" + } + ], + "OperationName": "streamStarted", + "ServiceName": "Crowdstrike Streaming API", + "Success": true, + "UTCTimestamp": "2020-02-12T21:29:10.000Z", + "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", + "UserIp": "10.10.0.8" + }, + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "eventCreationTime": "2020-02-12T21:29:10.710Z", + "eventType": "AuthActivityAuditEvent", + "offset": 0, + "version": "1.0" + } + }, + "data_stream": { + "dataset": "crowdstrike.falcon", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "dataset": "crowdstrike.falcon", + "ingested": "2022-05-09T16:35:19Z", + "kind": "event", + "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", + "outcome": "success", + "type": [ + "change" + ] + }, + "event.action": "stream_started", + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/falcon-audit-events.log" + }, + "flags": [ + "multiline" + ], + "offset": 910 + }, + "message": "Crowdstrike Streaming API", + "related": { + "ip": [ + "10.10.0.8" + ], + "user": [ + "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + ] + }, + "source": { + "ip": "10.10.0.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "crowdstrike-falcon" + ], + "user": { + "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + } +} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/1.3.2/data_stream/fdr/agent/stream/aws-s3.yml.hbs new file mode 100755 index 0000000000..bd89d34816 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/agent/stream/aws-s3.yml.hbs @@ -0,0 +1,57 @@ +queue_url: {{queue_url}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if fips_enabled}} +fips_enabled: {{fips_enabled}} +{{/if}} +{{#if proxy_url }} +proxy_url: {{proxy_url}} +{{/if}} +{{#if is_fdr_queue}} +sqs.notification_parsing_script.source: {{fdr_parsing_script}} +{{/if}} +{{#if tags.length}} +tags: +{{else}} +{{#if preserve_original_event}} +tags: +{{/if}} +{{/if}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/agent/stream/stream.yml.hbs b/packages/crowdstrike/1.3.2/data_stream/fdr/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..51174aef53 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/agent/stream/stream.yml.hbs @@ -0,0 +1,26 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +{{#if tags.length}} +tags: +{{else}} +{{#if preserve_original_event}} +tags: +{{/if}} +{{/if}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.3.2/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..efcb3a4ad7 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1301 @@ +--- +description: Pipeline for processing sample logs +processors: + ## Message decoding. + - rename: + tag: message-to-original + field: message + target_field: event.original + - json: + tag: json-decoding + description: Decodes original JSON into `crowdstrike` field. + field: event.original + target_field: crowdstrike + - date: + tag: date-timestamp + description: Parse timestamp from event. + field: crowdstrike.timestamp + target_field: event.created + formats: + - UNIX_MS + ignore_failure: true + - date: + tag: date-event-created + description: Parse timestamp from event. + field: crowdstrike.CreationTimeStamp + target_field: event.created + formats: + - UNIX + ignore_failure: true + if: ctx?.event?.created == null + - set: + tag: set-timestamp + field: "@timestamp" + copy_from: event.created + if: ctx?.event?.created != null && (ctx?.crowdstrike?.ContextTimeStamp == null || ctx?.crowdstrike?.ContextTimeStamp == "") + - date: + tag: date-context-timestamp + field: crowdstrike.ContextTimeStamp + formats: + - UNIX + ignore_failure: true + - rename: + tag: rename-message + field: crowdstrike.message + target_field: message + ignore_missing: true + + ## ECS fields. + - set: + field: ecs.version + value: "8.2.0" + + ## Categorization. + - script: + tag: script-categorize-events + description: Categorize events. + lang: painless + source: |- + def c = [ + "AcUninstallConfirmation":["category":["package"],"type":["deletion"],"kind":"state","outcome":"success"], + "AcUnloadConfirmation":["category":["package"],"type":["deletion"],"kind":"state","outcome":"success"], + "AgentConnect":["category":["network","session"],"type":["connection","info"],"kind":"event","outcome":"success"], + "AgentOnline":["category":["configuration","package","host"],"type":["change","installation","start"],"kind":"state","outcome":"success"], + "AmsiRegistrationStatus":["category":["host"],"type":["info"],"kind":"state","outcome":"success"], + "AsepFileChange":["category":["file"],"type":["creation","change"],"kind":"event","outcome":"success"], + "AsepKeyUpdate":["category":["registry"],"type":["change"],"kind":"event","outcome":"success"], + "AsepValueUpdate":["category":["registry"],"type":["change"],"kind":"event","outcome":"success"], + "AssociateIndicator":["category":["malware"],"type":["info"],"kind":"alert","outcome":"unknown"], + "AssociateTreeIdWithRoot":["category":["malware"],"type":["info"],"kind":"alert","outcome":"success"], + "BITSJobCreated":["category":["network","file"],"type":["connection","creation"],"kind":"event","outcome":"success"], + "BZip2FileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "BehaviorWhitelisted":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "BrowserInjectedThread":["category":["process"],"type":["access","change"],"kind":"event","outcome":"success"], + "CloudAssociateTreeIdWithRoot":["category":["malware"],"type":["deletion"],"kind":"alert","outcome":"success"], + "CommandHistory":["category":["process"],"type":["end","info"],"kind":"event","outcome":"success"], + "ConfigStateUpdate":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "CrashNotification":["category":["host"],"type":["info"],"kind":"event","outcome":"failure"], + "CreateProcessArgs":["category":["process"],"type":["start"],"kind":"state","outcome":"success"], + "CreateService":["category":["host"],"type":["change"],"kind":"event","outcome":"success"], + "CreateThreadNoStartImage":["category":["process"],"type":["start"],"kind":"event","outcome":"success"], + "CreateThreadReflectiveDll":["category":["process"],"type":["change"],"kind":"event","outcome":"success"], + "CriticalEnvironmentVariableChanged":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"], + "CriticalFileAccessed":["category":["file"],"type":["access"],"kind":"alert","outcome":"success"], + "CriticalFileModified":["category":["file"],"type":["change"],"kind":"alert","outcome":"success"], + "CurrentSystemTags":["category":["host"],"type":["info"],"kind":"state","outcome":"success"], + "CustomIOABasicProcessDetectionInfoEvent":["category":["malware"],"type":["info"],"kind":"alert","outcome":"unknown"], + "DCSyncAttempted":["category":["configuration","iam"],"type":["access"],"kind":"event","outcome":"unknown"], + "DcOffline":["category":["iam"],"type":["info"],"kind":"event","outcome":"success"], + "DcOnline":["category":["iam"],"type":["info"],"kind":"event","outcome":"success"], + "DcStatus":["category":["iam"],"type":["info"],"kind":"state","outcome":"success"], + "DetectAnalysis":["category":["malware"],"type":["info"],"kind":"alert","outcome":"success"], + "DetectionExcluded":["category":["configuration","malware"],"type":["change","info"],"kind":"alert","outcome":"success"], + "DirectoryCreate":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "DllInjection":["category":["process"],"type":["change"],"kind":"event","outcome":"success"], + "DmpFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "DnsRequest":["category":["network"],"type":["protocol"],"kind":"event","outcome":"success"], + "DocumentProgramInjectedThread":["category":["process"],"type":["access","change"],"kind":"event","outcome":"success"], + "DriverLoad":["category":["driver"],"type":["start"],"kind":"event","outcome":"success"], + "DwgFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "EarlyExploitPivotDetect":["category":["malware"],"type":["info"],"kind":"event","outcome":"unknown"], + "EndOfProcess":["category":["process"],"type":["end"],"kind":"event","outcome":"success"], + "ErrorEvent":["category":["package"],"type":["info"],"kind":"alert","outcome":"failure"], + "EtwErrorEvent":["category":["package","host"],"type":["info"],"kind":"event","outcome":"failure"], + "ExecutableDeleted":["category":["file"],"type":["deletion"],"kind":"event","outcome":"success"], + "FalconHostRegTamperingInfo":["category":["registry"],"type":["change"],"kind":"alert","outcome":"unknown"], + "FalconServiceStatus":["category":["package"],"type":["info"],"kind":"state","outcome":"unknown"], + "FileCreateInfo":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "FileDeleteInfo":["category":["file"],"type":["deletion"],"kind":"event","outcome":"success"], + "FileDetectInfo":["category":["file"],"type":["info"],"kind":"alert","outcome":"unknown"], + "FileInfo":["category":["file"],"type":["info"],"kind":"event","outcome":"unknown"], + "FileOpenInfo":["category":["file"],"type":["access"],"kind":"event","outcome":"success"], + "FileRenameInfo":["category":["file"],"type":["change"],"kind":"event","outcome":"success"], + "FileSystemOperationBlocked":["category":["file"],"type":["change","deletion"],"kind":"event","outcome":"failure"], + "FileSystemOperationDetectInfo":["category":["file"],"type":["change","deletion"],"kind":"alert","outcome":"unknown"], + "FileTimestampsModified":["category":["file"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallChangeOption":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallDeleteRule":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallDeleteRuleIP4":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallDeleteRuleIP6":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallDisabled":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallEnabled":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallSetRule":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallSetRuleIP4":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "FirewallSetRuleIP6":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "FirmwareAnalysisErrorEvent":["category":["host"],"type":["info"],"kind":"state","outcome":"failure"], + "FirmwareAnalysisHardwareData":["category":["host"],"type":["info"],"kind":"state","outcome":"success"], + "FirmwareAnalysisStatus":["category":["host"],"type":["info"],"kind":"state","outcome":"success"], + "FlashThreadCreateProcess":["category":["process"],"type":["start"],"kind":"event","outcome":"success"], + "FsPostOpenSnapshotFile":["category":["file"],"type":["access"],"kind":"event","outcome":"success"], + "FsVolumeMounted":["category":["host"],"type":["change"],"kind":"event","outcome":"success"], + "FsVolumeUnmounted":["category":["host"],"type":["change"],"kind":"event","outcome":"success"], + "HostInfo":["category":["host"],"type":["info"],"kind":"event","outcome":"success"], + "HostedServiceStarted":["category":["package"],"type":["start"],"kind":"event","outcome":"success"], + "HostedServiceStopped":["category":["package"],"type":["end"],"kind":"event","outcome":"success"], + "HostnameChanged":["category":["host"],"type":["change"],"kind":"event","outcome":"success"], + "HttpRequestDetect":["category":["network","session"],"type":["connection","start"],"kind":"event","outcome":"success"], + "HttpVisibilityStatus":["category":["session"],"type":["info"],"kind":"state","outcome":"unknown"], + "IOServiceRegister":["category":["package"],"type":["change"],"kind":"event","outcome":"success"], + "ImageHash":["category":["process"],"type":["change"],"kind":"event","outcome":"success"], + "InjectedThread":["category":["process"],"type":["change"],"kind":"event","outcome":"success"], + "InjectedThreadFromUnsignedModule":["category":["process"],"type":["change"],"kind":"alert","outcome":"success"], + "InstallBundleDownloadComplete":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "InstallServiceDownloadComplete":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "InstalledApplication":["category":["package"],"type":["installation"],"kind":"event","outcome":"success"], + "InstalledUpdates":["category":["host","package"],"type":["change","installation"],"kind":"event","outcome":"success"], + "InstanceMetadata":["category":["host"],"type":["info"],"kind":"state","outcome":"unknown"], + "IoSessionConnected":["category":["session"],"type":["start"],"kind":"event","outcome":"success"], + "IoSessionLoggedOn":["category":["session"],"type":["end"],"kind":"event","outcome":"success"], + "JarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "JavaClassFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "JavaInjectedThread":["category":["process"],"type":["change"],"kind":"event","outcome":"success"], + "KernelModeLoadImage":["category":["driver"],"type":["start"],"kind":"event","outcome":"success"], + "KextLoad":["category":["driver"],"type":["start"],"kind":"event","outcome":"success"], + "KextUnload":["category":["driver"],"type":["end"],"kind":"event","outcome":"success"], + "LFODownloadConfirmation":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "LfoUploadDataComplete":["category":["file"],"type":["change"],"kind":"event","outcome":"success"], + "LfoUploadDataFailed":["category":["file"],"type":["change"],"kind":"event","outcome":"failure"], + "LfoUploadDataUnneeded":["category":["file"],"type":["change"],"kind":"event","outcome":"failure"], + "LocalIpAddressIP4":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"], + "LocalIpAddressIP6":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"], + "LocalIpAddressRemovedIP4":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"], + "LocalIpAddressRemovedIP6":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"], + "LsassHandleFromUnsignedModule":["category":["process"],"type":["change"],"kind":"alert","outcome":"unknown"], + "MachOFileWritten":["category":["file"],"type":["change"],"kind":"event","outcome":"success"], + "ManifestDownloadComplete":["category":["configuration","file"],"type":["change","creation"],"kind":"event","outcome":"success"], + "ModifyServiceBinary":["category":["file"],"type":["change"],"kind":"alert","outcome":"unknown"], + "ModuleBlockedEvent":["category":["process","malware"],"type":["info","denied"],"kind":"alert","outcome":"success"], + "ModuleBlockedEventWithPatternId":["category":["process","malware"],"type":["info"],"kind":"event","outcome":"unknown"], + "ModuleDetectInfo":["category":["process","malware"],"type":["info"],"kind":"event","outcome":"unknown"], + "NeighborListIP4":["category":["host","network"],"type":["info"],"kind":"state","outcome":"unknown"], + "NeighborListIP6":["category":["host","network"],"type":["info"],"kind":"state","outcome":"unknown"], + "NetShareAdd":["category":["host"],"type":["change"],"kind":"event","outcome":"success"], + "NetShareDelete":["category":["host"],"type":["change"],"kind":"event","outcome":"success"], + "NetShareSecurityModify":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "NetworkCloseIP4":["category":["network"],"type":["end","connection"],"kind":"event","outcome":"unknown"], + "NetworkCloseIP6":["category":["network"],"type":["end","connection"],"kind":"event","outcome":"unknown"], + "NetworkConnectIP4":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"unknown"], + "NetworkConnectIP6":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"unknown"], + "NetworkListenIP4":["category":["network"],"type":["start"],"kind":"event","outcome":"success"], + "NetworkListenIP6":["category":["network"],"type":["start"],"kind":"event","outcome":"success"], + "NetworkReceiveAcceptIP4":["category":["network"],"type":["allowed","access","connection"],"kind":"event","outcome":"unknown"], + "NetworkReceiveAcceptIP6":["category":["network"],"type":["allowed","access","connection"],"kind":"event","outcome":"unknown"], + "NewExecutableRenamed":["category":["file"],"type":["change"],"kind":"event","outcome":"success"], + "NewExecutableWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "NewScriptWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "OciContainerTelemetry":["category":["host"],"type":["info"],"kind":"state","outcome":"unknown"], + "OleFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "OoxmlFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "OsVersionInfo":["category":["host"],"type":["info"],"kind":"event","outcome":"success"], + "PackedExecutableWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "PdfFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "PeFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "PeVersionInfo":["category":["file"],"type":["info"],"kind":"event","outcome":"success"], + "PrivilegedProcessHandleFromUnsignedModule":["category":["process"],"type":["access"],"kind":"alert","outcome":"success"], + "ProcessBlocked":["category":["process"],"type":["access"],"kind":"alert","outcome":"failure"], + "ProcessExecOnPackedExecutable":["category":["process","file"],"type":["access"],"kind":"alert","outcome":"success"], + "ProcessExecOnSMBFile":["category":["process","file","network"],"type":["access"],"kind":"alert","outcome":"success"], + "ProcessHandleOpDetectInfo":["category":["process","malware"],"type":["info"],"kind":"alert","outcome":"success"], + "ProcessInjection":["category":["process"],"type":["change"],"kind":"event","outcome":"success"], + "ProcessRollup2":["category":["process"],"type":["start"],"kind":"event","outcome":"success"], + "ProcessRollup2Stats":["category":["process"],"type":["info"],"kind":"state","outcome":"unknown"], + "ProcessSelfDeleted":["category":["process"],"type":["end"],"kind":"event","outcome":"success"], + "PromiscuousBindIP4":["category":["host"],"type":["change"],"kind":"state","outcome":"success"], + "PtyCreated":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "QuarantineActionResult":["category":["file"],"type":["info"],"kind":"alert","outcome":"unknown"], + "QuarantinedFile":["category":["file"],"type":["change"],"kind":"alert","outcome":"unknown"], + "QuarantinedFileState":["category":["file"],"type":["info"],"kind":"alert","outcome":"unknown"], + "QueueApcEtw":["category":["file"],"type":["creation"],"kind":"alert","outcome":"success"], + "RansomwareCreateFile":["category":["file"],"type":["creation"],"kind":"alert","outcome":"success"], + "RansomwareFileAccessPattern":["category":["file"],"type":["access"],"kind":"alert","outcome":"success"], + "RansomwareOpenFile":["category":["file"],"type":["access"],"kind":"alert","outcome":"success"], + "RarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "RawBindIP4":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"success"], + "RawBindIP6":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"success"], + "ReflectiveDllOpenProcess":["category":["process"],"type":["access"],"kind":"alert","outcome":"success"], + "RegGenericValueUpdate":["category":["registry"],"type":["change"],"kind":"event","outcome":"success"], + "RegSystemConfigValueUpdate":["category":["registry","host","configuration"],"type":["change"],"kind":"event","outcome":"success"], + "RegisterRawInputDevicesEtw":["category":["host","configuration"],"type":["change"],"kind":"event","outcome":"success"], + "RegistryOperationDetectInfo":["category":["malware","registry"],"type":["info"],"kind":"alert","outcome":"success"], + "RemoteBruteForceDetectInfo":["category":["malware","authentication"],"type":["info"],"kind":"alert","outcome":"success"], + "RemovableDiskModuleLoadAttempt":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"], + "RemovableMediaVolumeMounted":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"], + "RtfFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "SAMHashDumpFromUnsignedModule":["category":["registry","file"],"type":["access","creation"],"kind":"alert","outcome":"success"], + "ScheduledTaskDeleted":["category":["configuration"],"type":["deletion"],"kind":"event","outcome":"success"], + "ScheduledTaskModified":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "ScheduledTaskRegistered":["category":["configuration"],"type":["creation"],"kind":"event","outcome":"success"], + "ScreenshotTakenEtw":["category":["process"],"type":["access"],"kind":"event","outcome":"success"], + "ScriptControlBlocked":["category":["malware","file"],"type":["info"],"kind":"alert","outcome":"success"], + "ScriptControlDetectInfo":["category":["malware","file"],"type":["info"],"kind":"alert","outcome":"success"], + "ScriptControlErrorEvent":["category":["malware","file"],"type":["info"],"kind":"alert","outcome":"failure"], + "ScriptControlScanInfo":["category":["malware","file"],"type":["info"],"kind":"state","outcome":"success"], + "ScriptControlScanTelemetry":["category":["malware","file"],"type":["info"],"kind":"state","outcome":"success"], + "SensitiveWmiQuery":["category":["malware","process"],"type":["info"],"kind":"alert","outcome":"success"], + "SensorHeartbeat":["category":["package"],"type":["info"],"kind":"event","outcome":"success"], + "ServiceStarted":["category":["process"],"type":["start"],"kind":"event","outcome":"success"], + "SetWinEventHookEtw":["category":["host","configuration"],"type":["change"],"kind":"event","outcome":"success"], + "SevenZipFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "SignInfoError":["category":["file"],"type":["info"],"kind":"state","outcome":"failure"], + "SignInfoWithCertAndContext":["category":["file"],"type":["info"],"kind":"state","outcome":"unknown"], + "SignInfoWithContext":["category":["file"],"type":["info"],"kind":"state","outcome":"unknown"], + "SmbClientNamedPipeConnectEtw":["category":["network"],"type":["connection"],"kind":"event","outcome":"success"], + "SmbClientShareClosedEtw":["category":["network"],"type":["connection","end"],"kind":"event","outcome":"success"], + "SmbClientShareOpenedEtw":["category":["network"],"type":["connection","start"],"kind":"event","outcome":"success"], + "SmbServerShareOpenedEtw":["category":["network"],"type":["connection","start"],"kind":"event","outcome":"success"], + "SmbServerV1AuditEtw":["category":["network"],"type":["connection"],"kind":"state","outcome":"unknown"], + "SnapshotVolumeMounted":["category":["host","configuration"],"type":["change"],"kind":"event","outcome":"success"], + "SuspiciousCreateSymbolicLink":["category":["malware","file"],"type":["creation","info"],"kind":"alert","outcome":"success"], + "SuspiciousDnsRequest":["category":["network"],"type":["start","protocol"],"kind":"alert","outcome":"success"], + "SuspiciousEseFileWritten":["category":["malware","file"],"type":["creation","info"],"kind":"alert","outcome":"success"], + "SuspiciousRegAsepUpdate":["category":["malware","registry","configuration"],"type":["change","info"],"kind":"alert","outcome":"success"], + "SuspiciousUserRemoteAPCAttempt":["category":["malware","process"],"type":["info"],"kind":"alert","outcome":"success"], + "SyntheticProcessRollup2":["category":["process"],"type":["start"],"kind":"event","outcome":"success"], + "SystemCapacity":["category":["host"],"type":["info"],"kind":"state","outcome":"success"], + "TarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "TelemetryCounters2":["category":["host"],"type":["info"],"kind":"state","outcome":"success"], + "TelemetryNetworkConnections":["category":["network"],"type":["connection"],"kind":"state","outcome":"success"], + "TelemetryStats":["category":["host"],"type":["info"],"kind":"state","outcome":"success"], + "TerminateProcess":["category":["process"],"type":["end"],"kind":"event","outcome":"success"], + "TokenImpersonated":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"], + "UACCOMElevation":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"], + "UACExeElevation":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"], + "UACMSIElevation":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"], + "UmppaErrorEvent":["category":["package"],"type":["info"],"kind":"event","outcome":"failure"], + "UnsignedModuleLoad":["category":["process"],"type":["change"],"kind":"alert","outcome":"success"], + "UpdateManifestDownloadComplete":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "UserAccountAddedToGroup":["category":["configuration","iam"],"type":["change","group"],"kind":"event","outcome":"success"], + "UserAccountCreated":["category":["configuration","iam"],"type":["creation"],"kind":"event","outcome":"success"], + "UserAccountDeleted":["category":["configuration","iam"],"type":["deletion"],"kind":"event","outcome":"success"], + "UserExceptionDEP":["category":["process","malware"],"type":["info"],"kind":"alert","outcome":"success"], + "UserFontLoad":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "UserIdentity":["category":["authentication","iam"],"type":["info","user"],"kind":"event","outcome":"success"], + "UserLogoff":["category":["authentication"],"type":["end"],"kind":"event","outcome":"success"], + "UserLogon":["category":["authentication"],"type":["start"],"kind":"event","outcome":"success"], + "UserLogonFailed":["category":["authentication"],"type":["start"],"kind":"event","outcome":"failure"], + "UserLogonFailed2":["category":["authentication"],"type":["start"],"kind":"event","outcome":"failure"], + "VolumeSnapshotCreated":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "VolumeSnapshotDeleted":["category":["file"],"type":["deletion"],"kind":"event","outcome":"success"], + "WfpFilterTamperingFilterAdded":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "WfpFilterTamperingFilterDeleted":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "WmiCreateProcess":["category":["process"],"type":["start"],"kind":"event","outcome":"success"], + "WmiFilterConsumerBindingEtw":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "WmiProviderRegistrationEtw":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"], + "WroteExeAndGeneratedServiceEvent":["category":["process"],"type":["access"],"kind":"alert","outcome":"success"], + "XarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"], + "ZipFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"] + ]; + + def v = c.get(ctx?.crowdstrike?.event_simpleName); + if (v != null) { + for (def entry : v.entrySet()) { + ctx.event[entry.getKey().toString()] = entry.getValue(); + } + } + + ## Event fields. + - rename: + field: crowdstrike.id + target_field: event.id + ignore_missing: true + - rename: + field: crowdstrike.event_simpleName + target_field: event.action + ignore_missing: true + +## Prepare data. + - script: + description: Convert all count fields to number. + lang: painless + source: |- + for (entry in ctx.crowdstrike.entrySet()) { + def key = entry.getKey().toString(); + if (key.contains("Count") || key.contains("Port")) { + try { + ctx.crowdstrike[key] = Long.parseLong(entry.getValue().toString()); + } catch (Exception e) { + } + } + } + - script: + description: Remove all 0's hashes. + lang: painless + params: + MD5HashData: md5 + SHA1HashData: sha1 + SHA256HashData: sha256 + source: |- + def hashIsEmpty(String hash) { + if (hash == null || hash == "") { + return true; + } + + Pattern emptyHashRegex = /^0*$/; + def matcher = emptyHashRegex.matcher(hash); + + return matcher.matches(); + } + + def hashes = new HashMap(); + def related = [ + "hash": new ArrayList() + ]; + for (entry in params.entrySet()) { + def key = entry.getKey().toString(); + def value = ctx.crowdstrike[key]; + ctx.crowdstrike.remove(key); + if (hashIsEmpty(value)) { + continue; + } + + hashes[entry.getValue().toString()] = value; + related.hash.add(value); + } + + ctx._temp = new HashMap(); + ctx._temp.hashes = hashes; + if (related.hash.length > 0) { + ctx.related = related; + } + + ## Observer fields. + - rename: + field: crowdstrike.aid + target_field: observer.serial_number + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.aip + type: ip + ignore_missing: true + - rename: + field: crowdstrike.aip + target_field: observer.ip + ignore_missing: true + ignore_failure: true + - set: + field: observer.address + copy_from: observer.ip + ignore_empty_value: true + - rename: + field: crowdstrike.AgentVersion + target_field: observer.version + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.ConfigBuild + target_field: observer.version + ignore_missing: true + ignore_failure: true + - set: + field: observer.vendor + value: crowdstrike + - set: + field: observer.type + value: agent + - append: + field: related.ip + value: "{{observer.ip}}" + allow_duplicates: false + if: ctx?.observer?.ip != null && ctx.observer.ip != "" + - append: + field: related.hosts + value: "{{observer.ip}}" + allow_duplicates: false + if: ctx?.observer?.ip != null && ctx.observer.ip != "" + + ## Host fields. + - rename: + field: crowdstrike.ComputerName + target_field: host.hostname + ignore_missing: true + ignore_failure: true + - set: + field: host.name + copy_from: host.hostname + ignore_empty_value: true + ignore_failure: true + - append: + field: related.hosts + value: "{{host.name}}" + allow_duplicates: false + if: ctx.host?.name != null + - rename: + field: crowdstrike.City + target_field: host.geo.city_name + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Continent + target_field: host.geo.continent_name + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Country + target_field: host.geo.country_name + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Timezone + target_field: host.geo.timezone + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.MachineDomain + target_field: host.domain + ignore_missing: true + ignore_failure: true + + ## IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + ## IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + ## OS fields. + - set: + field: os.type + value: linux + if: ctx?.crowdstrike?.event_platform != null && ctx?.crowdstrike?.event_platform == "Lin" + - set: + field: os.type + value: macos + if: ctx?.crowdstrike?.event_platform != null && ctx?.crowdstrike?.event_platform == "Mac" + - set: + field: os.type + value: windows + if: ctx?.crowdstrike?.event_platform != null && ctx?.crowdstrike?.event_platform == "Win" + - rename: + field: crowdstrike.OSVersionString + target_field: os.version + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Version + target_field: os.version + ignore_missing: true + ignore_failure: true + + ## Process fields. + - rename: + field: crowdstrike.CommandLine + target_field: process.command_line + ignore_missing: true + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" && ctx?.os?.type != null + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - rename: + field: crowdstrike.ImageFileName + target_field: process.executable + ignore_missing: true + - convert: + field: crowdstrike.ExitCode + type: long + ignore_missing: true + - rename: + field: crowdstrike.ExitCode + target_field: process.exit_code + ignore_missing: true + - script: + lang: painless + description: Calculate process.uptime + source: |- + def d1 = Float.parseFloat(ctx?.crowdstrike?.ProcessStartTime); + def d2 = Float.parseFloat(ctx?.crowdstrike?.ProcessEndTime); + if (ctx?.process == null) { + ctx.process = []; + } + ctx.process.uptime = (long) ((d2-d1)/1000); + if: ctx?.crowdstrike?.ProcessStartTime != null && ctx?.crowdstrike?.ProcessStartTime != "" && ctx?.crowdstrike?.ProcessEndTime != null && ctx?.crowdstrike?.ProcessEndTime != "" + - date: + field: crowdstrike.ProcessStartTime + target_field: crowdstrike.ProcessStartTime + formats: + - UNIX + if: ctx?.crowdstrike?.ProcessStartTime != null && ctx?.crowdstrike?.ProcessStartTime != "" + - rename: + field: crowdstrike.ProcessStartTime + target_field: process.start + ignore_missing: true + if: ctx?.crowdstrike?.ProcessStartTime != "" + - date: + field: crowdstrike.ProcessEndTime + target_field: crowdstrike.ProcessEndTime + formats: + - UNIX + if: ctx?.crowdstrike?.ProcessEndTime != null && ctx?.crowdstrike?.ProcessEndTime != "" + - rename: + field: crowdstrike.ProcessEndTime + target_field: process.end + ignore_missing: true + if: ctx?.crowdstrike?.ProcessEndTime != "" + - convert: + field: crowdstrike.RawProcessId + type: long + ignore_missing: true + - rename: + field: crowdstrike.RawProcessId + target_field: process.pid + ignore_missing: true + - rename: + field: crowdstrike.TargetProcessId + target_field: process.entity_id + ignore_missing: true + - rename: + field: crowdstrike.ParentProcessId + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: crowdstrike.ParentBaseFileName + target_field: process.parent.name + ignore_missing: true + - convert: + field: crowdstrike.ProcessGroupId + type: long + ignore_missing: true + - rename: + field: crowdstrike.ProcessGroupId + target_field: process.pgid + ignore_missing: true + - rename: + field: crowdstrike.ContextProcessId + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.process?.entity_id == null + - convert: + field: crowdstrike.ContextThreadId + type: long + ignore_missing: true + if: ctx?.process?.thread?.id == null + - rename: + field: crowdstrike.ContextThreadId + target_field: process.thread.id + ignore_missing: true + ignore_failure: true + if: ctx?.process?.thread?.id == null + - convert: + field: crowdstrike.EtwRawProcessId + type: long + ignore_missing: true + - rename: + field: crowdstrike.EtwRawProcessId + target_field: process.pid + ignore_missing: true + if: ctx?.process?.pid == null + - convert: + field: crowdstrike.EtwRawThreadId + type: long + ignore_missing: true + - rename: + field: crowdstrike.EtwRawThreadId + target_field: process.thread.id + ignore_missing: true + if: ctx?.process?.thread?.id == null + - rename: + field: crowdstrike.ServiceDisplayName + target_field: process.title + ignore_missing: true + - rename: + field: _temp.hashes + target_field: process.hash + if: ctx?.event?.action != null && (ctx.event.action.contains("Process") || ctx.event.action.contains("Service")) && ctx?._temp?.hashes != null && ctx?._temp?.hashes.size() > 0 + + ## User fields. + - rename: + field: crowdstrike.UID + target_field: user.id + ignore_missing: true + - rename: + field: crowdstrike.GID + target_field: user.group.id + ignore_missing: true + - rename: + field: crowdstrike.UserSid + target_field: user.id + ignore_missing: true + if: ctx?.user?.id == null || ctx.user.id == "" + - append: + field: user.roles + value: admin + if: ctx?.crowdstrike?.UserIsAdmin == "1" + - rename: + field: crowdstrike.UserName + target_field: user.name + ignore_missing: true + - split: + field: crowdstrike.UserPrincipal + target_field: "_temp.user_parts" + separator: '@' + if: ctx?.crowdstrike?.UserPrincipal != null + - rename: + field: crowdstrike.UserPrincipal + target_field: user.email + ignore_missing: true + - set: + field: user.domain + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.full_name + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + - append: + field: related.user + value: "{{user.full_name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.full_name != null + + ## Networking fields. + - convert: + field: crowdstrike.LocalAddressIP4 + type: ip + ignore_missing: true + - rename: + field: crowdstrike.LocalAddressIP4 + target_field: source.ip + ignore_missing: true + - set: + field: source.address + copy_from: source.ip + ignore_empty_value: true + - convert: + field: crowdstrike.LocalAddressIP6 + type: ip + ignore_missing: true + - rename: + field: crowdstrike.LocalAddressIP6 + target_field: source.ip + ignore_missing: true + - set: + field: source.address + copy_from: source.ip + ignore_empty_value: true + - rename: + field: crowdstrike.LocalPort + target_field: source.port + ignore_missing: true + - convert: + field: crowdstrike.RemoteAddressIP4 + type: ip + ignore_missing: true + - rename: + field: crowdstrike.RemoteAddressIP4 + target_field: destination.ip + ignore_missing: true + - set: + field: destination.address + copy_from: destination.ip + ignore_empty_value: true + - convert: + field: crowdstrike.RemoteAddressIP6 + type: ip + ignore_missing: true + - rename: + field: crowdstrike.RemoteAddressIP6 + target_field: destination.ip + ignore_missing: true + - set: + field: destination.address + copy_from: destination.ip + ignore_empty_value: true + - rename: + field: crowdstrike.RemotePort + target_field: destination.port + ignore_missing: true + - rename: + field: crowdstrike.Protocol + target_field: network.iana_number + ignore_missing: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - set: + field: network.direction + value: outbound + if: ctx?.crowdstrike?.ConnectionDirection == "0" + - set: + field: network.direction + value: inbound + if: ctx?.crowdstrike?.ConnectionDirection == "1" + - set: + field: network.direction + value: unknown + if: ctx?.network?.direction == null && ctx?.crowdstrike?.ConnectionDirection != null && ctx.crowdstrike.ConnectionDirection != "" + - community_id: + ignore_missing: true + ignore_failure: true + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null && ctx.source.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx.destination.ip != "" + - append: + field: related.hosts + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null && ctx.source.ip != "" + - append: + field: related.hosts + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx.destination.ip != "" + - rename: + field: crowdstrike.PhysicalAddress + target_field: source.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + - rename: + field: crowdstrike.DownloadServer + target_field: server.address + ignore_missing: true + - rename: + field: crowdstrike.DownloadPath + target_field: url.path + ignore_missing: true + + ## URL fields. + - set: + field: url.path + value: "/{{url.path}}" + if: ctx.url?.path != null && !ctx.url.path.startsWith("/") + - registered_domain: + field: server.address + target_field: server + ignore_missing: true + - set: + field: url.scheme + value: https + if: ctx?.crowdstrike?.DownloadPort == 443 + - set: + field: url.scheme + value: http + if: ctx?.crowdstrike?.DownloadPort != 443 + - set: + field: url.full + value: "{{url.scheme}}://{{server.address}}{{url.path}}" + if: ctx?.url?.scheme != null && ctx?.server?.address != null && ctx?.url?.path != null + - uri_parts: + field: url.full + ignore_failure: true + if: ctx.url?.full != null + - registered_domain: + field: url.domain + target_field: url + ignore_missing: true + ignore_failure: true + + ## IP Geolocation Lookup + - geoip: + field: observer.ip + target_field: observer.geo + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + ## IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + ## DNS fields. + - set: + field: dns.type + value: query + if: ctx?.event?.action == "DnsRequest" + - registered_domain: + field: crowdstrike.DomainName + target_field: dns.question + ignore_missing: true + if: ctx?.event?.action == "DnsRequest" + - rename: + field: dns.question.domain + target_field: dns.question.name + ignore_missing: true + if: ctx?.event?.action == "DnsRequest" + - script: + description: Map decimal DNS request type to its name. + lang: painless + source: |- + def conversions = ["1": "A", "2": "NS", "5": "CNAME", "6": "SOA", "12": "PTR", + "13": "HINFO", "15": "MX", "16": "TXT", "17": "RP", + "18": "AFSDB", "24": "SIG", "25": "KEY", "28": "AAAA", "29": "LOC", + "33": "SRV", "35": "NAPTR", "36": "KX", "37": "CERT", "39": "DNAME", + "42": "APL", "43": "DS", "44": "SSHFP", "45": "IPSECKEY", + "46": "RRSIG", "47": "NSEC", "48": "DNSKEY", "49": "DHCID", "50": "NSEC3", + "51": "NSEC3PARAM", "52": "TLSA", "53": "SMIMEA", "55": "HIP", "59": "CDS", + "60": "CDNSKEY", "61": "OPENPGPKEY", "62": "CSYNC", "63": "ZONEMD", + "64": "SVCB", "65": "HTTPS", "108": "EUI48", "109": "EUI64", "249": "TKEY", + "250": "TSIG", "256": "URI", "257": "CAA", "32768": "TA", "32769": "DLV"]; + def t = conversions[ctx.crowdstrike.RequestType]; + if (t != null) { + if (ctx.dns?.question == null) { + ctx.dns.question = new HashMap(); + } + ctx.dns.question.type = t; + ctx.crowdstrike.remove("RequestType"); + } + if: ctx?.event?.action == "DnsRequest" && ctx?.crowdstrike?.RequestType != null && ctx.crowdstrike.RequestType != "" + + ## File fields. + - convert: + field: crowdstrike.Size + type: long + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Size + target_field: file.size + ignore_missing: true + - rename: + field: crowdstrike.FileIdentifier + target_field: file.inode + ignore_missing: true + - rename: + field: crowdstrike.SourceFileName + target_field: file.path + ignore_missing: true + - rename: + field: crowdstrike.TargetFileName + target_field: file.path + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.DiskParentDeviceInstanceId + target_field: file.device + ignore_missing: true + - set: + field: file.type + value: file + if: ctx.file?.path != null && !ctx.event.action.contains("Directory") + - set: + field: file.type + value: dir + if: ctx.file?.path != null && (ctx.event.action.contains("Directory") || ctx.file.path.endsWith("\\") || ctx.file.path.endsWith("/")) + - script: + description: Adds file information. + lang: painless + if: ctx?.file?.path != null && ctx.file.path.length() > 1 + source: |- + def removeSuffix(String s, String suffix) { + if (s != null && suffix != null && s.endsWith(suffix)) { + return s.substring(0, s.length() - suffix.length()); + } + return s; + } + + def path = removeSuffix(ctx.file.path, "/"); + path = removeSuffix(path, "\\"); + def idx = path.lastIndexOf("\\"); + if (idx == -1) { + idx = path.lastIndexOf("/"); + } + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = ctx.file.name.lastIndexOf("."); + if (extIdx > -1 && ctx.file.type == "file") { + ctx.file.extension = ctx.file.name.substring(extIdx+1); + } + } + if (path.charAt(1) == ":") { + ctx.file.drive_letter = path.charAt(0).toUpperCase(); + } + - rename: + field: _temp.hashes + target_field: file.hash + if: ctx?.event?.action != null && (ctx.event.action.contains("File") || ctx.event.action.contains("Directory") || ctx.event.action.contains("Executable")) && ctx?._temp?.hashes != null && ctx?._temp?.hashes.size() > 0 + + ## Crowdstrike fields. + - split: + field: crowdstrike.FalconGroupingTags + separator: ",\\s?" + ignore_missing: true + ignore_failure: true + - split: + field: crowdstrike.SensorGroupingTags + separator: ",\\s?" + ignore_missing: true + ignore_failure: true + - split: + field: crowdstrike.Tags + separator: ",\\s?" + ignore_missing: true + ignore_failure: true + - split: + field: crowdstrike.CallStackModuleNames + separator: "\\|" + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.UserTime + type: long + ignore_missing: true + - convert: + field: crowdstrike.KernelTime + type: long + ignore_missing: true + - convert: + field: crowdstrike.CycleTime + type: long + ignore_missing: true + - append: + field: related.hash + value: "{{crowdstrike.ConfigStateHash}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.crowdstrike?.ConfigStateHash != null && ctx.crowdstrike.ConfigStateHash != "" + - trim: + field: crowdstrike.BootArgs + ignore_missing: true + - split: + field: crowdstrike.BootArgs + separator: '\s+' + ignore_missing: true + - date: + field: crowdstrike.LogonTime + target_field: crowdstrike.LogonTime + formats: + - UNIX + if: ctx?.crowdstrike?.LogonTime != null && ctx?.crowdstrike?.LogonTime != "" + - date: + field: crowdstrike.LogoffTime + target_field: crowdstrike.LogoffTime + formats: + - UNIX + if: ctx?.crowdstrike?.LogoffTime != null && ctx?.crowdstrike?.LogoffTime != "" + - date: + field: crowdstrike.ConnectTime + target_field: crowdstrike.ConnectTime + formats: + - UNIX + if: ctx?.crowdstrike?.ConnectTime != null && ctx?.crowdstrike?.ConnectTime != "" + - date: + field: crowdstrike.PreviousConnectTime + target_field: crowdstrike.PreviousConnectTime + formats: + - UNIX + if: ctx?.crowdstrike?.PreviousConnectTime != null && ctx?.crowdstrike?.PreviousConnectTime != "" + - date: + field: crowdstrike.AgentLocalTime + target_field: crowdstrike.AgentLocalTime + formats: + - UNIX + if: ctx?.crowdstrike?.AgentLocalTime != null && ctx?.crowdstrike?.AgentLocalTime != "" + - date: + field: crowdstrike.FirstSeen + target_field: crowdstrike.FirstSeen + formats: + - UNIX + if: ctx?.crowdstrike?.FirstSeen != null && ctx?.crowdstrike?.FirstSeen != "" + - date: + field: crowdstrike.Time + target_field: crowdstrike.Time + formats: + - UNIX + if: ctx?.crowdstrike?.Time != null && ctx?.crowdstrike?.Time != "" + - date: + field: crowdstrike.BiosReleaseDate + target_field: crowdstrike.BiosReleaseDate + formats: + - MM/dd/yyyy + - strict_date_optional_time + if: ctx?.crowdstrike?.BiosReleaseDate != null && ctx?.crowdstrike?.BiosReleaseDate != "" + - convert: + field: crowdstrike.AgentTimeOffset + target_field: crowdstrike.AgentTimeOffset + type: float + ignore_missing: true + - convert: + field: crowdstrike.Timeout + type: long + ignore_missing: true + - convert: + field: crowdstrike.PhysicalAddressLength + type: long + ignore_missing: true + - convert: + field: crowdstrike.InterfaceIndex + type: long + ignore_missing: true + - convert: + field: crowdstrike.NetLuidIndex + type: long + ignore_missing: true + - convert: + field: crowdstrike.AttemptNumber + type: long + ignore_missing: true + - convert: + field: crowdstrike.SystemTableIndex + type: long + ignore_missing: true + - split: + field: crowdstrike.NeighborList + separator: '\|' + ignore_missing: true + - split: + field: crowdstrike.ConfigStateData + separator: '\|' + ignore_missing: true + - append: + field: related.hosts + value: "{{crowdstrike.LogonServer}}" + allow_duplicates: false + if: ctx?.crowdstrike?.LogonServer != null + - append: + field: related.hosts + value: "{{crowdstrike.ClientComputerName}}" + allow_duplicates: false + if: ctx?.crowdstrike?.ClientComputerName != null + + ## Cleanup. + - remove: + field: crowdstrike.event_platform + ignore_missing: true + ignore_failure: true + if: ctx?.os?.type != null + - remove: + field: + - _temp + - crowdstrike.timestamp + - crowdstrike._time + - crowdstrike.ContextTimeStamp + - crowdstrike.CreationTimeStamp + - crowdstrike.DomainName + - crowdstrike.ConnectionDirection + - crowdstrike.UserIsAdmin + - crowdstrike.TargetDirectoryName + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: + - set: + field: error.message + value: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message {{ _ingest.on_failure_message }}" diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/fields/base-fields.yml b/packages/crowdstrike/1.3.2/data_stream/fdr/fields/base-fields.yml new file mode 100755 index 0000000000..b701d8325a --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/fields/base-fields.yml @@ -0,0 +1,24 @@ +- name: input.type + type: keyword +- name: log.offset + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: crowdstrike +- name: event.dataset + type: constant_keyword + description: Event dataset + value: crowdstrike.fdr +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/1.3.2/data_stream/fdr/fields/ecs.yml new file mode 100755 index 0000000000..09e7f347a7 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/fields/ecs.yml @@ -0,0 +1,509 @@ +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Device that is the source of the file. + name: file.device + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: host.geo.city_name + type: keyword +- description: Name of the continent. + name: host.geo.continent_name + type: keyword +- description: Country name. + name: host.geo.country_name + type: keyword +- description: The time zone of the location, such as IANA time zone name. + name: host.geo.timezone + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: City name. + name: observer.geo.city_name + type: keyword +- description: Name of the continent. + name: observer.geo.continent_name + type: keyword +- description: Country ISO code. + name: observer.geo.country_iso_code + type: keyword +- description: Country name. + name: observer.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: observer.geo.location + type: geo_point +- description: Region ISO code. + name: observer.geo.region_iso_code + type: keyword +- description: Region name. + name: observer.geo.region_name + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Use the `os.type` field to categorize the operating system into one of the broad commercial families. + One of these following values should be used (lowercase): linux, macos, unix, windows. + If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + name: os.type + type: keyword +- description: Operating system version as a raw string. + name: os.version + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: The time the process ended. + name: process.end + type: date +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + Identifier of the group of processes the process belongs to. + name: process.pgid + type: long +- description: Process id. + name: process.pid + type: long +- description: The time the process started. + name: process.start + type: date +- description: Thread ID. + name: process.thread.id + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: Seconds the process has been up. + name: process.uptime + type: long +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/1.3.2/data_stream/fdr/fields/fields.yml new file mode 100755 index 0000000000..430dfe74b2 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/fields/fields.yml @@ -0,0 +1,595 @@ +- name: observer.address + type: keyword +- name: crowdstrike + type: group + fields: + - name: AgentTimeOffset + type: float + - name: AllocateVirtualMemoryCount + type: long + - name: ApiReturnValue + type: keyword + - name: ArchiveFileWrittenCount + type: long + - name: AsepWrittenCount + type: long + - name: AuthenticationId + type: keyword + - name: AuthenticationPackage + type: keyword + - name: BinaryExecutableWrittenCount + type: long + - name: BootArgs + type: keyword + - name: BundleID + type: keyword + - name: CLICreationCount + type: long + - name: CallStackModuleNames + type: keyword + - name: CallStackModuleNamesVersion + type: version + - name: ClientComputerName + type: keyword + - name: CompletionEventId + type: keyword + - name: ConfigBuild + type: keyword + - name: ConHostId + type: keyword + - name: ConHostProcessId + type: keyword + - name: ConfigStateHash + type: keyword + - name: ConnectionFlags + type: keyword + - name: ContextProcessId + type: keyword + - name: CreateProcessCount + type: long + - name: CreateProcessType + type: keyword + - name: CycleTime + type: long + - name: DesiredAccess + type: keyword + - name: DirectoryCreatedCount + type: long + - name: DirectoryEnumeratedCount + type: long + - name: DnsRequestCount + type: long + - name: DocumentFileWrittenCount + type: long + - name: DownloadPath + type: keyword + - name: DownloadPort + type: long + - name: DownloadServer + type: keyword + - name: DualRequest + type: keyword + - name: EffectiveTransmissionClass + type: keyword + - name: EnabledPrivilegesBitmask + type: keyword + - name: Entitlements + type: keyword + - name: ExeAndServiceCount + type: long + - name: ExecutableDeletedCount + type: long + - name: FalconGroupingTags + type: keyword + - name: FileAttributes + type: keyword + - name: FileDeletedCount + type: long + - name: FileEcpBitmask + type: keyword + - name: FileObject + type: keyword + - name: FirstSeen + type: date + - name: Flags + type: keyword + - name: GenericFileWrittenCount + type: long + - name: GrandParentBaseFileName + type: keyword + - name: HostHiddenStatus + type: keyword + - name: ImageSubsystem + type: keyword + - name: InContext + type: keyword + - name: Information + type: keyword + - name: InjectedDllCount + type: long + - name: InjectedThreadCount + type: long + - name: IntegrityLevel + type: keyword + - name: InterfaceGuid + type: keyword + - name: InterfaceIndex + type: long + - name: InterfaceVersion + type: keyword + - name: IrpFlags + type: keyword + - name: IsOnNetwork + type: keyword + - name: IsOnRemovableDisk + type: keyword + - name: IsTransactedFile + type: keyword + - name: KernelTime + type: long + - name: LogoffTime + type: date + - name: LogonDomain + type: keyword + - name: LogonId + type: keyword + - name: LogonServer + type: keyword + - name: LogonTime + type: date + - name: LogonType + type: keyword + - name: MachOSubType + type: keyword + - name: MajorFunction + type: keyword + - name: MaxThreadCount + type: long + - name: MinorFunction + type: keyword + - name: ModuleLoadCount + type: long + - name: NDRoot + type: keyword + - name: NetworkBindCount + type: long + - name: NetworkCapableAsepWriteCount + type: long + - name: NetworkCloseCount + type: long + - name: NetworkConnectCount + type: long + - name: NetworkConnectCountUdp + type: long + - name: NetworkListenCount + type: long + - name: NetworkModuleLoadCount + type: long + - name: NetworkRecvAcceptCount + type: long + - name: NewExecutableWrittenCount + type: long + - name: NewFileIdentifier + type: keyword + - name: OperationFlags + type: keyword + - name: Options + type: keyword + - name: OU + type: keyword + - name: ParentAuthenticationId + type: keyword + - name: PasswordLastSet + type: keyword + - name: PhysicalAddressLength + type: long + - name: PointerSize + type: keyword + - name: PrivilegedProcessHandleCount + type: long + - name: PrivilegesBitmask + type: keyword + - name: ProcessCreateFlags + type: keyword + - name: ProcessParameterFlags + type: keyword + - name: ProcessSxsFlags + type: keyword + - name: ProductType + type: keyword + - name: ProtectVirtualMemoryCount + type: long + - name: QueueApcCount + type: long + - name: RGID + type: keyword + - name: RUID + type: keyword + - name: RegKeySecurityDecreasedCount + type: long + - name: RemoteAccount + type: keyword + - name: RemovableDiskFileWrittenCount + type: long + - name: RequestType + type: keyword + - name: RpcClientProcessId + type: keyword + - name: RpcClientThreadId + type: keyword + - name: RpcNestingLevel + type: keyword + - name: RpcOpNum + type: keyword + - name: RunDllInvocationCount + type: long + - name: SVGID + type: keyword + - name: SVUID + type: keyword + - name: ScreenshotsTakenCount + type: long + - name: ScriptEngineInvocationCount + type: long + - name: SensorGroupingTags + type: keyword + - name: ServiceDisplayName + type: keyword + - name: ServiceEventCount + type: long + - name: ServicePackMajor + type: keyword + - name: SessionId + type: keyword + - name: SessionProcessId + type: keyword + - name: SetThreadContextCount + type: long + - name: ShareAccess + type: keyword + - name: Size + type: long + - name: SiteName + type: keyword + - name: SnapshotFileOpenCount + type: long + - name: SourceFileName + type: keyword + - name: SourceProcessId + type: keyword + - name: SourceThreadId + type: keyword + - name: Status + type: keyword + - name: SubStatus + type: keyword + - name: SuspectStackCount + type: long + - name: SuspiciousCredentialModuleLoadCount + type: long + - name: SuspiciousDnsRequestCount + type: long + - name: SuspiciousFontLoadCount + type: long + - name: SuspiciousRawDiskReadCount + type: long + - name: Tags + type: keyword + - name: TargetThreadId + type: keyword + - name: Time + type: date + - name: Timeout + type: long + - name: TokenType + type: keyword + - name: UnixMode + type: keyword + - name: UnsignedModuleLoadCount + type: long + - name: UserFlags + type: keyword + - name: UserGroupsBitmask + type: keyword + - name: UserLogoffType + type: keyword + - name: UserLogonFlags + type: keyword + - name: UserMemoryAllocateExecutableCount + type: long + - name: UserMemoryAllocateExecutableRemoteCount + type: long + - name: UserMemoryProtectExecutableCount + type: long + - name: UserMemoryProtectExecutableRemoteCount + type: long + - name: UserTime + type: long + - name: VnodeModificationType + type: keyword + - name: VnodeType + type: keyword + - name: VolumeDeviceCharacteristics + type: keyword + - name: VolumeDeviceObjectFlags + type: keyword + - name: VolumeDeviceType + type: keyword + - name: VolumeDriveLetter + type: keyword + - name: VolumeFileSystemDevice + type: keyword + - name: VolumeFileSystemDriver + type: keyword + - name: VolumeFileSystemType + type: keyword + - name: VolumeIsEncrypted + type: keyword + - name: VolumeIsNetwork + type: keyword + - name: VolumeMountPoint + type: keyword + - name: VolumeName + type: keyword + - name: VolumeRealDeviceName + type: keyword + - name: VolumeSectorSize + type: keyword + - name: cid + type: keyword + - name: name + type: keyword + - name: AgentLoadFlags + type: keyword + - name: AgentLocalTime + type: date + - name: AgentVersion + type: keyword + - name: AttemptNumber + type: long + - name: AuthenticationUuid + type: keyword + - name: AuthenticationUuidAsString + type: keyword + - name: BiosManufacturer + type: keyword + - name: BiosReleaseDate + type: date + - name: BiosVersion + type: keyword + - name: BootTimeFunctionalityLevel + type: keyword + - name: BoundedCount + type: long + - name: ChannelDiffStatus + type: keyword + - name: ChannelId + type: keyword + - name: ChannelVersion + type: keyword + - name: ChannelVersionRequired + type: keyword + - name: ChasisManufacturer + type: keyword + - name: ChassisType + type: keyword + - name: ConfigIDBase + type: keyword + - name: ConfigIDBuild + type: keyword + - name: ConfigIDPlatform + type: keyword + - name: ConfigStateData + type: keyword + - name: ConfigurationVersion + type: keyword + - name: ConnectTime + type: date + - name: ConnectType + type: keyword + - name: CpuClockSpeed + type: keyword + - name: CpuFeaturesMask + type: keyword + - name: CpuProcessorName + type: keyword + - name: CpuSignature + type: keyword + - name: CpuVendor + type: keyword + - name: CurrentFunctionalityLevel + type: keyword + - name: DeviceId + type: keyword + - name: ELFSubType + type: keyword + - name: ErrorCode + type: keyword + - name: ErrorStatus + type: keyword + - name: EtwRawThreadId + type: long + - name: FXFileSize + type: keyword + - name: Facility + type: keyword + - name: FailedConnectCount + type: long + - name: FeatureExtractionVersion + type: keyword + - name: FeatureVector + type: keyword + - name: File + type: keyword + - name: FirmwareAnalysisEclConsumerInterfaceVersion + type: keyword + - name: FirmwareAnalysisEclControlInterfaceVersion + type: keyword + - name: IOServiceClass + type: keyword + - name: IOServiceName + type: keyword + - name: IOServicePath + type: keyword + - name: InDiscards + type: keyword + - name: InErrors + type: keyword + - name: InMulticastPkts + type: keyword + - name: InOctets + type: keyword + - name: InUcastPkts + type: keyword + - name: InUnknownProtos + type: keyword + - name: InterfaceAlias + type: keyword + - name: InterfaceType + type: keyword + - name: LfoUploadFlags + type: keyword + - name: LightningLatencyState + type: keyword + - name: Line + type: keyword + - name: LogicalCoreCount + type: long + - name: LoginSessionId + type: keyword + - name: MLModelVersion + type: keyword + - name: MajorVersion + type: keyword + - name: Malicious + type: keyword + - name: MemoryTotal + type: keyword + - name: MicrocodeSignature + type: keyword + - name: MinorVersion + type: keyword + - name: MoboManufacturer + type: keyword + - name: MoboProductName + type: keyword + - name: ModelPrediction + type: keyword + - name: NeighborList + type: keyword + - name: NetLuidIndex + type: long + - name: NetworkContainmentState + type: keyword + - name: OSVersionFileData + type: keyword + - name: OSVersionFileName + type: keyword + - name: OutErrors + type: keyword + - name: OutMulticastPkts + type: keyword + - name: OutOctets + type: keyword + - name: OutUcastPkts + type: keyword + - name: Parameter1 + type: keyword + - name: Parameter2 + type: keyword + - name: Parameter3 + type: keyword + - name: PciAttachmentState + type: keyword + - name: PhysicalCoreCount + type: long + - name: PreviousConnectTime + type: date + - name: ProcessCount + type: long + - name: ProcessorPackageCount + type: long + - name: ProvisionState + type: keyword + - name: PupAdwareConfidence + type: keyword + - name: PupAdwareDecisionValue + type: keyword + - name: RFMState + type: keyword + - name: ReasonOfFunctionalityLevel + type: keyword + - name: SensorStateBitMap + type: keyword + - name: SuppressType + type: keyword + - name: SyntheticPR2Flags + type: keyword + - name: SystemManufacturer + type: keyword + - name: SystemProductName + type: keyword + - name: SystemSerialNumber + type: keyword + - name: SystemSku + type: keyword + - name: SystemTableIndex + type: long + - name: TargetFileName + type: keyword + - name: USN + type: keyword + - name: UploadId + type: keyword + - name: UserSid + type: keyword + - name: VerifiedCertificate + type: keyword + - name: VolumeAppearanceTime + type: keyword + - name: VolumeBusName + type: keyword + - name: VolumeBusPath + type: keyword + - name: VolumeDeviceInternal + type: keyword + - name: VolumeDeviceModel + type: keyword + - name: VolumeDevicePath + type: keyword + - name: VolumeDeviceProtocol + type: keyword + - name: VolumeDeviceRevision + type: keyword + - name: VolumeMediaBSDMajor + type: keyword + - name: VolumeMediaBSDMinor + type: keyword + - name: VolumeMediaBSDName + type: keyword + - name: VolumeMediaBSDUnit + type: keyword + - name: VolumeMediaContent + type: keyword + - name: VolumeMediaEjectable + type: keyword + - name: VolumeMediaName + type: keyword + - name: VolumeMediaPath + type: keyword + - name: VolumeMediaRemovable + type: keyword + - name: VolumeMediaSize + type: keyword + - name: VolumeMediaUUID + type: keyword + - name: VolumeMediaWhole + type: keyword + - name: VolumeMediaWritable + type: keyword + - name: VolumeType + type: keyword + - name: VolumeUUID + type: keyword + - name: WindowFlags + type: keyword diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/manifest.yml b/packages/crowdstrike/1.3.2/data_stream/fdr/manifest.yml new file mode 100755 index 0000000000..755618e931 --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/manifest.yml @@ -0,0 +1,183 @@ +title: "Falcon Data Replicator" +type: logs +streams: + - input: aws-s3 + template_path: aws-s3.yml.hbs + title: Falcon Data Replicator logs + description: Collect Falcon Data Replicator logs using s3 input + vars: + - name: access_key_id + type: text + title: Access Key ID + multi: false + required: false + show_user: true + - name: secret_access_key + type: text + title: Secret Access Key + multi: false + required: false + show_user: true + - name: session_token + type: text + title: Session Token + multi: false + required: false + show_user: true + - name: queue_url + type: text + title: Queue URL + multi: false + required: true + show_user: true + description: URL of the AWS SQS queue that messages will be received from. + - name: is_fdr_queue + type: bool + title: Is FDR queue + multi: false + required: true + show_user: true + description: | + By default the FDR queue is expected. This option must be set to `false` if you are using your own queue. + default: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: shared_credential_file + type: text + title: Shared Credential File + multi: false + required: false + show_user: false + description: Directory of the shared credentials file + - name: credential_profile_name + type: text + title: Credential Profile Name + multi: false + required: false + show_user: false + - name: role_arn + type: text + title: Role ARN + multi: false + required: false + show_user: false + - name: endpoint + type: text + title: Endpoint + multi: false + required: false + show_user: false + default: "amazonaws.com" + description: URL of the entry point for an AWS web service + - name: visibility_timeout + type: text + title: Visibility Timeout + multi: false + required: false + show_user: false + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. + - name: api_timeout + type: text + title: API Timeout + multi: false + required: false + show_user: false + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. + - name: fips_enabled + type: bool + title: Enable S3 FIPS + default: false + multi: false + required: false + show_user: false + description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: fdr_parsing_script + type: yaml + title: FDR Notification Parsing Script + multi: false + required: true + show_user: false + description: The JS script used to parse the custom format of SQS FDR notifications. + default: | + function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + return evts; + } + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - crowdstrike-fdr + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + title: Falcon Data Replicator logs + description: Collect Falcon Data Replicator logs using a log file + vars: + - name: paths + type: text + title: Paths + multi: true + default: + - /var/log/falcon_data_replicator.log + show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - crowdstrike-fdr + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/crowdstrike/1.3.2/data_stream/fdr/sample_event.json b/packages/crowdstrike/1.3.2/data_stream/fdr/sample_event.json new file mode 100755 index 0000000000..07551bd55b --- /dev/null +++ b/packages/crowdstrike/1.3.2/data_stream/fdr/sample_event.json @@ -0,0 +1,121 @@ +{ + "@timestamp": "2020-11-08T09:58:32.519Z", + "agent": { + "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "crowdstrike": { + "ConfigStateHash": "1763245019", + "DesiredAccess": "1179785", + "EffectiveTransmissionClass": "3", + "Entitlements": "15", + "FileAttributes": "0", + "FileObject": "18446670458156489088", + "Information": "1", + "IrpFlags": "2180", + "MajorFunction": "0", + "MinorFunction": "0", + "OperationFlags": "0", + "Options": "16777312", + "ShareAccess": "5", + "Status": "0", + "cid": "ffffffff30a3407dae27d0503611022d", + "name": "RansomwareOpenFileV4" + }, + "data_stream": { + "dataset": "crowdstrike.fdr", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "RansomwareOpenFile", + "agent_id_status": "verified", + "category": [ + "file" + ], + "created": "2020-11-08T17:07:22.091Z", + "dataset": "crowdstrike.fdr", + "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", + "ingested": "2022-05-09T16:39:37Z", + "kind": "alert", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", + "outcome": "success", + "timezone": "+00:00", + "type": [ + "access" + ] + }, + "file": { + "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", + "extension": "pptx", + "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", + "name": "file.pptx", + "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", + "type": "file" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/fdr-sample.log" + }, + "offset": 95203 + }, + "observer": { + "address": "67.43.156.14", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "serial_number": "ffffffffac4148947ed68497e89f3308", + "type": "agent", + "vendor": "crowdstrike", + "version": "1007.3.0011603.1" + }, + "os": { + "type": "windows" + }, + "process": { + "entity_id": "1016182570608", + "thread": { + "id": 37343520154472 + } + }, + "related": { + "hash": [ + "1763245019" + ], + "hosts": [ + "67.43.156.14" + ], + "ip": [ + "67.43.156.14" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "crowdstrike-fdr" + ], + "url": { + "scheme": "http" + } +} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.2/docs/README.md b/packages/crowdstrike/1.3.2/docs/README.md new file mode 100755 index 0000000000..77ec53e0b5 --- /dev/null +++ b/packages/crowdstrike/1.3.2/docs/README.md @@ -0,0 +1,1024 @@ +# CrowdStrike Integration + +This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the +following datasets for receiving logs: + +- `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). +- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). + +## Compatibility + +This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. + +## Logs + +### Falcon + +Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| crowdstrike.event.AuditKeyValues | Fields that were changed in this event. | nested | +| crowdstrike.event.CommandLine | Executable path with command line arguments. | keyword | +| crowdstrike.event.Commands | Commands run in a remote session. | keyword | +| crowdstrike.event.ComputerName | Name of the computer where the detection occurred. | keyword | +| crowdstrike.event.ConnectionDirection | Direction for network connection. | keyword | +| crowdstrike.event.CustomerId | Customer identifier. | keyword | +| crowdstrike.event.DetectDescription | Description of the detection. | keyword | +| crowdstrike.event.DetectId | Unique ID associated with the detection. | keyword | +| crowdstrike.event.DetectName | Name of the detection. | keyword | +| crowdstrike.event.DeviceId | Device on which the event occurred. | keyword | +| crowdstrike.event.EndTimestamp | End time for the remote session in UTC UNIX format. | date | +| crowdstrike.event.EventType | CrowdStrike provided event type. | keyword | +| crowdstrike.event.ExecutablesWritten | Detected executables written to disk by a process. | nested | +| crowdstrike.event.FalconHostLink | URL to view the detection in Falcon. | keyword | +| crowdstrike.event.FileName | File name of the associated process for the detection. | keyword | +| crowdstrike.event.FilePath | Path of the executable associated with the detection. | keyword | +| crowdstrike.event.FineScore | Score for incident. | float | +| crowdstrike.event.Flags.Audit | CrowdStrike audit flag. | boolean | +| crowdstrike.event.Flags.Log | CrowdStrike log flag. | boolean | +| crowdstrike.event.Flags.Monitor | CrowdStrike monitor flag. | boolean | +| crowdstrike.event.GrandparentCommandLine | Grandparent process command line arguments. | keyword | +| crowdstrike.event.GrandparentImageFileName | Path to the grandparent process. | keyword | +| crowdstrike.event.HostName | Host name of the local machine. | keyword | +| crowdstrike.event.HostnameField | Host name of the machine for the remote session. | keyword | +| crowdstrike.event.ICMPCode | RFC2780 ICMP Code field. | keyword | +| crowdstrike.event.ICMPType | RFC2780 ICMP Type field. | keyword | +| crowdstrike.event.IOCType | CrowdStrike type for indicator of compromise. | keyword | +| crowdstrike.event.IOCValue | CrowdStrike value for indicator of compromise. | keyword | +| crowdstrike.event.ImageFileName | File name of the associated process for the detection. | keyword | +| crowdstrike.event.IncidentEndTime | End time for the incident in UTC UNIX format. | date | +| crowdstrike.event.IncidentStartTime | Start time for the incident in UTC UNIX format. | date | +| crowdstrike.event.Ipv | Protocol for network request. | keyword | +| crowdstrike.event.LateralMovement | Lateral movement field for incident. | long | +| crowdstrike.event.LocalAddress | IP address of local machine. | ip | +| crowdstrike.event.LocalIP | IP address of the host associated with the detection. | keyword | +| crowdstrike.event.LocalPort | Port of local machine. | long | +| crowdstrike.event.MACAddress | MAC address of the host associated with the detection. | keyword | +| crowdstrike.event.MD5String | MD5 sum of the executable associated with the detection. | keyword | +| crowdstrike.event.MachineDomain | Domain for the machine associated with the detection. | keyword | +| crowdstrike.event.MatchCount | Number of firewall rule matches. | long | +| crowdstrike.event.MatchCountSinceLastReport | Number of firewall rule matches since the last report. | long | +| crowdstrike.event.NetworkProfile | CrowdStrike network profile. | keyword | +| crowdstrike.event.Objective | Method of detection. | keyword | +| crowdstrike.event.OperationName | Event subtype. | keyword | +| crowdstrike.event.PID | Associated process id for the detection. | long | +| crowdstrike.event.ParentCommandLine | Parent process command line arguments. | keyword | +| crowdstrike.event.ParentImageFileName | Path to the parent process. | keyword | +| crowdstrike.event.ParentProcessId | Parent process ID related to the detection. | integer | +| crowdstrike.event.PatternDispositionDescription | Action taken by Falcon. | keyword | +| crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled | | boolean | +| crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled | | boolean | +| crowdstrike.event.PatternDispositionFlags.Detect | | boolean | +| crowdstrike.event.PatternDispositionFlags.FsOperationBlocked | | boolean | +| crowdstrike.event.PatternDispositionFlags.InddetMask | | boolean | +| crowdstrike.event.PatternDispositionFlags.Indicator | | boolean | +| crowdstrike.event.PatternDispositionFlags.KillParent | | boolean | +| crowdstrike.event.PatternDispositionFlags.KillProcess | | boolean | +| crowdstrike.event.PatternDispositionFlags.KillSubProcess | | boolean | +| crowdstrike.event.PatternDispositionFlags.OperationBlocked | | boolean | +| crowdstrike.event.PatternDispositionFlags.PolicyDisabled | | boolean | +| crowdstrike.event.PatternDispositionFlags.ProcessBlocked | | boolean | +| crowdstrike.event.PatternDispositionFlags.QuarantineFile | | boolean | +| crowdstrike.event.PatternDispositionFlags.QuarantineMachine | | boolean | +| crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked | | boolean | +| crowdstrike.event.PatternDispositionFlags.Rooting | | boolean | +| crowdstrike.event.PatternDispositionFlags.SensorOnly | | boolean | +| crowdstrike.event.PatternDispositionValue | Unique ID associated with action taken. | integer | +| crowdstrike.event.PolicyID | CrowdStrike policy id. | keyword | +| crowdstrike.event.PolicyName | CrowdStrike policy name. | keyword | +| crowdstrike.event.ProcessEndTime | The process termination time in UTC UNIX_MS format. | date | +| crowdstrike.event.ProcessId | Process ID related to the detection. | integer | +| crowdstrike.event.ProcessStartTime | The process start time in UTC UNIX_MS format. | date | +| crowdstrike.event.Protocol | CrowdStrike provided protocol. | keyword | +| crowdstrike.event.RemoteAddress | IP address of remote machine. | ip | +| crowdstrike.event.RemotePort | Port of remote machine. | long | +| crowdstrike.event.RuleAction | Firewall rule action. | keyword | +| crowdstrike.event.RuleDescription | Firewall rule description. | keyword | +| crowdstrike.event.RuleFamilyID | Firewall rule family id. | keyword | +| crowdstrike.event.RuleGroupName | Firewall rule group name. | keyword | +| crowdstrike.event.RuleId | Firewall rule id. | keyword | +| crowdstrike.event.RuleName | Firewall rule name. | keyword | +| crowdstrike.event.SHA1String | SHA1 sum of the executable associated with the detection. | keyword | +| crowdstrike.event.SHA256String | SHA256 sum of the executable associated with the detection. | keyword | +| crowdstrike.event.SensorId | Unique ID associated with the Falcon sensor. | keyword | +| crowdstrike.event.ServiceName | Service associated with this event. | keyword | +| crowdstrike.event.SessionId | Session ID of the remote response session. | keyword | +| crowdstrike.event.Severity | Severity score of the detection. | integer | +| crowdstrike.event.SeverityName | Severity score text. | keyword | +| crowdstrike.event.StartTimestamp | Start time for the remote session in UTC UNIX format. | date | +| crowdstrike.event.State | Whether the incident summary is open and ongoing or closed. | keyword | +| crowdstrike.event.Status | CrowdStrike status. | keyword | +| crowdstrike.event.Success | Indicator of whether or not this event was successful. | boolean | +| crowdstrike.event.Tactic | MITRE tactic category of the detection. | keyword | +| crowdstrike.event.Technique | MITRE technique category of the detection. | keyword | +| crowdstrike.event.Timestamp | Firewall rule triggered timestamp. | date | +| crowdstrike.event.TreeID | CrowdStrike tree id. | keyword | +| crowdstrike.event.UTCTimestamp | Timestamp associated with this event in UTC UNIX format. | date | +| crowdstrike.event.UserId | Email address or user ID associated with the event. | keyword | +| crowdstrike.event.UserIp | IP address associated with the user. | keyword | +| crowdstrike.event.UserName | User name associated with the detection. | keyword | +| crowdstrike.metadata.customerIDString | Customer identifier | keyword | +| crowdstrike.metadata.eventCreationTime | The time this event occurred on the endpoint in UTC UNIX_MS format. | date | +| crowdstrike.metadata.eventType | DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent | keyword | +| crowdstrike.metadata.offset | Offset number that tracks the location of the event in stream. This is used to identify unique detection events. | integer | +| crowdstrike.metadata.version | Schema version | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +An example event for `falcon` looks as following: + +```json +{ + "@timestamp": "2020-02-12T21:29:10.710Z", + "agent": { + "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "crowdstrike": { + "event": { + "AuditKeyValues": [ + { + "Key": "APIClientID", + "ValueString": "1234567890abcdefghijklmnopqr" + }, + { + "Key": "partition", + "ValueString": "0" + }, + { + "Key": "offset", + "ValueString": "-1" + }, + { + "Key": "appId", + "ValueString": "siem-connector-v2.0.0" + }, + { + "Key": "eventType", + "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" + } + ], + "OperationName": "streamStarted", + "ServiceName": "Crowdstrike Streaming API", + "Success": true, + "UTCTimestamp": "2020-02-12T21:29:10.000Z", + "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", + "UserIp": "10.10.0.8" + }, + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "eventCreationTime": "2020-02-12T21:29:10.710Z", + "eventType": "AuthActivityAuditEvent", + "offset": 0, + "version": "1.0" + } + }, + "data_stream": { + "dataset": "crowdstrike.falcon", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "dataset": "crowdstrike.falcon", + "ingested": "2022-05-09T16:35:19Z", + "kind": "event", + "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", + "outcome": "success", + "type": [ + "change" + ] + }, + "event.action": "stream_started", + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/falcon-audit-events.log" + }, + "flags": [ + "multiline" + ], + "offset": 910 + }, + "message": "Crowdstrike Streaming API", + "related": { + "ip": [ + "10.10.0.8" + ], + "user": [ + "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + ] + }, + "source": { + "ip": "10.10.0.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "crowdstrike-falcon" + ], + "user": { + "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + } +} +``` + +### FDR + +The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike +managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is +available in S3. + +This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed +SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket +and the integration can read from there. + +In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic +Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. + +#### Use with CrowdStrike managed S3/SQS + +This is the simplest way to setup the integration, and also the default. + +You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR. +Ensure the `Is FDR queue` option is enabled. + +#### Use with FDR tool and data replicated to a self-managed S3 bucket + +This option can be used if you want to archive the raw CrowdStrike data. + +You need to follow the steps below: + +- Create a S3 bucket to receive the logs. +- Create a SQS queue. +- Configure your S3 bucket to send object created notifications to your SQS queue. +- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. +- Configure the integration to read from your self-managed SQS topic. +- Disable the `Is FDR queue` option in the integration. + +> NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files. + +#### Configuration for the S3 input + +AWS credentials are required for running this integration if you want to use the S3 input. + +##### Configuration parameters +* `access_key_id`: first part of access key. +* `secret_access_key`: second part of access key. +* `session_token`: required when using temporary security credentials. +* `credential_profile_name`: profile name in shared credentials file. +* `shared_credential_file`: directory of the shared credentials file. +* `endpoint`: URL of the entry point for an AWS web service. +* `role_arn`: AWS IAM Role to assume. + +##### Credential Types +There are three types of AWS credentials can be used: + +- access keys, +- temporary security credentials, and +- IAM role ARN. + +##### Access keys + +`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. +They are long-term credentials for an IAM user, or the AWS account root user. +Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) +for more details. + +##### Temporary security credentials + +Temporary security credentials has a limited lifetime and consists of an +access key ID, a secret access key, and a security token which typically returned +from `GetSessionToken`. + +MFA-enabled IAM users would need to submit an MFA code +while calling `GetSessionToken`. `default_region` identifies the AWS Region +whose servers you want to send your first API request to by default. + +This is typically the Region closest to you, but it can be any Region. Please see +[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +for more details. + +`sts get-session-token` AWS CLI can be used to generate temporary credentials. +For example. with MFA-enabled: +```js +aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 +``` + +Because temporary security credentials are short term, after they expire, the +user needs to generate new ones and manually update the package configuration in +order to continue collecting `aws` metrics. + +This will cause data loss if the configuration is not updated with new credentials before the old ones expire. + +##### IAM role ARN + +An IAM role is an IAM identity that you can create in your account that has +specific permissions that determine what the identity can and cannot do in AWS. + +A role does not have standard long-term credentials such as a password or access +keys associated with it. Instead, when you assume a role, it provides you with +temporary security credentials for your role session. +IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate +temporary credentials. + +Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details. + +##### Supported Formats +1. Use access keys: Access keys include `access_key_id`, `secret_access_key` +and/or `session_token`. +2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume + for generating temporary credentials. + If `role_arn` is given, the package will check if access keys are given. + If not, the package will check for credential profile name. + If neither is given, default credential profile will be used. + + Please make sure credentials are given under either a credential profile or + access keys. +3. Use `credential_profile_name` and/or `shared_credential_file`: + If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then + the package will check for `credential_profile_name`. + If you use different credentials for different tools or applications, you can use profiles to + configure multiple access keys in the same configuration file. + If there is no `credential_profile_name` given, the default profile will be used. + `shared_credential_file` is optional to specify the directory of your shared + credentials file. + If it's empty, the default directory will be used. + In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. + For Linux, macOS or Unix, the file locates at `~/.aws/credentials`. + Please see[Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) + for more details. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| crowdstrike.AgentLoadFlags | | keyword | +| crowdstrike.AgentLocalTime | | date | +| crowdstrike.AgentTimeOffset | | float | +| crowdstrike.AgentVersion | | keyword | +| crowdstrike.AllocateVirtualMemoryCount | | long | +| crowdstrike.ApiReturnValue | | keyword | +| crowdstrike.ArchiveFileWrittenCount | | long | +| crowdstrike.AsepWrittenCount | | long | +| crowdstrike.AttemptNumber | | long | +| crowdstrike.AuthenticationId | | keyword | +| crowdstrike.AuthenticationPackage | | keyword | +| crowdstrike.AuthenticationUuid | | keyword | +| crowdstrike.AuthenticationUuidAsString | | keyword | +| crowdstrike.BinaryExecutableWrittenCount | | long | +| crowdstrike.BiosManufacturer | | keyword | +| crowdstrike.BiosReleaseDate | | date | +| crowdstrike.BiosVersion | | keyword | +| crowdstrike.BootArgs | | keyword | +| crowdstrike.BootTimeFunctionalityLevel | | keyword | +| crowdstrike.BoundedCount | | long | +| crowdstrike.BundleID | | keyword | +| crowdstrike.CLICreationCount | | long | +| crowdstrike.CallStackModuleNames | | keyword | +| crowdstrike.CallStackModuleNamesVersion | | version | +| crowdstrike.ChannelDiffStatus | | keyword | +| crowdstrike.ChannelId | | keyword | +| crowdstrike.ChannelVersion | | keyword | +| crowdstrike.ChannelVersionRequired | | keyword | +| crowdstrike.ChasisManufacturer | | keyword | +| crowdstrike.ChassisType | | keyword | +| crowdstrike.ClientComputerName | | keyword | +| crowdstrike.CompletionEventId | | keyword | +| crowdstrike.ConHostId | | keyword | +| crowdstrike.ConHostProcessId | | keyword | +| crowdstrike.ConfigBuild | | keyword | +| crowdstrike.ConfigIDBase | | keyword | +| crowdstrike.ConfigIDBuild | | keyword | +| crowdstrike.ConfigIDPlatform | | keyword | +| crowdstrike.ConfigStateData | | keyword | +| crowdstrike.ConfigStateHash | | keyword | +| crowdstrike.ConfigurationVersion | | keyword | +| crowdstrike.ConnectTime | | date | +| crowdstrike.ConnectType | | keyword | +| crowdstrike.ConnectionFlags | | keyword | +| crowdstrike.ContextProcessId | | keyword | +| crowdstrike.CpuClockSpeed | | keyword | +| crowdstrike.CpuFeaturesMask | | keyword | +| crowdstrike.CpuProcessorName | | keyword | +| crowdstrike.CpuSignature | | keyword | +| crowdstrike.CpuVendor | | keyword | +| crowdstrike.CreateProcessCount | | long | +| crowdstrike.CreateProcessType | | keyword | +| crowdstrike.CurrentFunctionalityLevel | | keyword | +| crowdstrike.CycleTime | | long | +| crowdstrike.DesiredAccess | | keyword | +| crowdstrike.DeviceId | | keyword | +| crowdstrike.DirectoryCreatedCount | | long | +| crowdstrike.DirectoryEnumeratedCount | | long | +| crowdstrike.DnsRequestCount | | long | +| crowdstrike.DocumentFileWrittenCount | | long | +| crowdstrike.DownloadPath | | keyword | +| crowdstrike.DownloadPort | | long | +| crowdstrike.DownloadServer | | keyword | +| crowdstrike.DualRequest | | keyword | +| crowdstrike.ELFSubType | | keyword | +| crowdstrike.EffectiveTransmissionClass | | keyword | +| crowdstrike.EnabledPrivilegesBitmask | | keyword | +| crowdstrike.Entitlements | | keyword | +| crowdstrike.ErrorCode | | keyword | +| crowdstrike.ErrorStatus | | keyword | +| crowdstrike.EtwRawThreadId | | long | +| crowdstrike.ExeAndServiceCount | | long | +| crowdstrike.ExecutableDeletedCount | | long | +| crowdstrike.FXFileSize | | keyword | +| crowdstrike.Facility | | keyword | +| crowdstrike.FailedConnectCount | | long | +| crowdstrike.FalconGroupingTags | | keyword | +| crowdstrike.FeatureExtractionVersion | | keyword | +| crowdstrike.FeatureVector | | keyword | +| crowdstrike.File | | keyword | +| crowdstrike.FileAttributes | | keyword | +| crowdstrike.FileDeletedCount | | long | +| crowdstrike.FileEcpBitmask | | keyword | +| crowdstrike.FileObject | | keyword | +| crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion | | keyword | +| crowdstrike.FirmwareAnalysisEclControlInterfaceVersion | | keyword | +| crowdstrike.FirstSeen | | date | +| crowdstrike.Flags | | keyword | +| crowdstrike.GenericFileWrittenCount | | long | +| crowdstrike.GrandParentBaseFileName | | keyword | +| crowdstrike.HostHiddenStatus | | keyword | +| crowdstrike.IOServiceClass | | keyword | +| crowdstrike.IOServiceName | | keyword | +| crowdstrike.IOServicePath | | keyword | +| crowdstrike.ImageSubsystem | | keyword | +| crowdstrike.InContext | | keyword | +| crowdstrike.InDiscards | | keyword | +| crowdstrike.InErrors | | keyword | +| crowdstrike.InMulticastPkts | | keyword | +| crowdstrike.InOctets | | keyword | +| crowdstrike.InUcastPkts | | keyword | +| crowdstrike.InUnknownProtos | | keyword | +| crowdstrike.Information | | keyword | +| crowdstrike.InjectedDllCount | | long | +| crowdstrike.InjectedThreadCount | | long | +| crowdstrike.IntegrityLevel | | keyword | +| crowdstrike.InterfaceAlias | | keyword | +| crowdstrike.InterfaceGuid | | keyword | +| crowdstrike.InterfaceIndex | | long | +| crowdstrike.InterfaceType | | keyword | +| crowdstrike.InterfaceVersion | | keyword | +| crowdstrike.IrpFlags | | keyword | +| crowdstrike.IsOnNetwork | | keyword | +| crowdstrike.IsOnRemovableDisk | | keyword | +| crowdstrike.IsTransactedFile | | keyword | +| crowdstrike.KernelTime | | long | +| crowdstrike.LfoUploadFlags | | keyword | +| crowdstrike.LightningLatencyState | | keyword | +| crowdstrike.Line | | keyword | +| crowdstrike.LogicalCoreCount | | long | +| crowdstrike.LoginSessionId | | keyword | +| crowdstrike.LogoffTime | | date | +| crowdstrike.LogonDomain | | keyword | +| crowdstrike.LogonId | | keyword | +| crowdstrike.LogonServer | | keyword | +| crowdstrike.LogonTime | | date | +| crowdstrike.LogonType | | keyword | +| crowdstrike.MLModelVersion | | keyword | +| crowdstrike.MachOSubType | | keyword | +| crowdstrike.MajorFunction | | keyword | +| crowdstrike.MajorVersion | | keyword | +| crowdstrike.Malicious | | keyword | +| crowdstrike.MaxThreadCount | | long | +| crowdstrike.MemoryTotal | | keyword | +| crowdstrike.MicrocodeSignature | | keyword | +| crowdstrike.MinorFunction | | keyword | +| crowdstrike.MinorVersion | | keyword | +| crowdstrike.MoboManufacturer | | keyword | +| crowdstrike.MoboProductName | | keyword | +| crowdstrike.ModelPrediction | | keyword | +| crowdstrike.ModuleLoadCount | | long | +| crowdstrike.NDRoot | | keyword | +| crowdstrike.NeighborList | | keyword | +| crowdstrike.NetLuidIndex | | long | +| crowdstrike.NetworkBindCount | | long | +| crowdstrike.NetworkCapableAsepWriteCount | | long | +| crowdstrike.NetworkCloseCount | | long | +| crowdstrike.NetworkConnectCount | | long | +| crowdstrike.NetworkConnectCountUdp | | long | +| crowdstrike.NetworkContainmentState | | keyword | +| crowdstrike.NetworkListenCount | | long | +| crowdstrike.NetworkModuleLoadCount | | long | +| crowdstrike.NetworkRecvAcceptCount | | long | +| crowdstrike.NewExecutableWrittenCount | | long | +| crowdstrike.NewFileIdentifier | | keyword | +| crowdstrike.OSVersionFileData | | keyword | +| crowdstrike.OSVersionFileName | | keyword | +| crowdstrike.OU | | keyword | +| crowdstrike.OperationFlags | | keyword | +| crowdstrike.Options | | keyword | +| crowdstrike.OutErrors | | keyword | +| crowdstrike.OutMulticastPkts | | keyword | +| crowdstrike.OutOctets | | keyword | +| crowdstrike.OutUcastPkts | | keyword | +| crowdstrike.Parameter1 | | keyword | +| crowdstrike.Parameter2 | | keyword | +| crowdstrike.Parameter3 | | keyword | +| crowdstrike.ParentAuthenticationId | | keyword | +| crowdstrike.PasswordLastSet | | keyword | +| crowdstrike.PciAttachmentState | | keyword | +| crowdstrike.PhysicalAddressLength | | long | +| crowdstrike.PhysicalCoreCount | | long | +| crowdstrike.PointerSize | | keyword | +| crowdstrike.PreviousConnectTime | | date | +| crowdstrike.PrivilegedProcessHandleCount | | long | +| crowdstrike.PrivilegesBitmask | | keyword | +| crowdstrike.ProcessCount | | long | +| crowdstrike.ProcessCreateFlags | | keyword | +| crowdstrike.ProcessParameterFlags | | keyword | +| crowdstrike.ProcessSxsFlags | | keyword | +| crowdstrike.ProcessorPackageCount | | long | +| crowdstrike.ProductType | | keyword | +| crowdstrike.ProtectVirtualMemoryCount | | long | +| crowdstrike.ProvisionState | | keyword | +| crowdstrike.PupAdwareConfidence | | keyword | +| crowdstrike.PupAdwareDecisionValue | | keyword | +| crowdstrike.QueueApcCount | | long | +| crowdstrike.RFMState | | keyword | +| crowdstrike.RGID | | keyword | +| crowdstrike.RUID | | keyword | +| crowdstrike.ReasonOfFunctionalityLevel | | keyword | +| crowdstrike.RegKeySecurityDecreasedCount | | long | +| crowdstrike.RemoteAccount | | keyword | +| crowdstrike.RemovableDiskFileWrittenCount | | long | +| crowdstrike.RequestType | | keyword | +| crowdstrike.RpcClientProcessId | | keyword | +| crowdstrike.RpcClientThreadId | | keyword | +| crowdstrike.RpcNestingLevel | | keyword | +| crowdstrike.RpcOpNum | | keyword | +| crowdstrike.RunDllInvocationCount | | long | +| crowdstrike.SVGID | | keyword | +| crowdstrike.SVUID | | keyword | +| crowdstrike.ScreenshotsTakenCount | | long | +| crowdstrike.ScriptEngineInvocationCount | | long | +| crowdstrike.SensorGroupingTags | | keyword | +| crowdstrike.SensorStateBitMap | | keyword | +| crowdstrike.ServiceDisplayName | | keyword | +| crowdstrike.ServiceEventCount | | long | +| crowdstrike.ServicePackMajor | | keyword | +| crowdstrike.SessionId | | keyword | +| crowdstrike.SessionProcessId | | keyword | +| crowdstrike.SetThreadContextCount | | long | +| crowdstrike.ShareAccess | | keyword | +| crowdstrike.SiteName | | keyword | +| crowdstrike.Size | | long | +| crowdstrike.SnapshotFileOpenCount | | long | +| crowdstrike.SourceFileName | | keyword | +| crowdstrike.SourceProcessId | | keyword | +| crowdstrike.SourceThreadId | | keyword | +| crowdstrike.Status | | keyword | +| crowdstrike.SubStatus | | keyword | +| crowdstrike.SuppressType | | keyword | +| crowdstrike.SuspectStackCount | | long | +| crowdstrike.SuspiciousCredentialModuleLoadCount | | long | +| crowdstrike.SuspiciousDnsRequestCount | | long | +| crowdstrike.SuspiciousFontLoadCount | | long | +| crowdstrike.SuspiciousRawDiskReadCount | | long | +| crowdstrike.SyntheticPR2Flags | | keyword | +| crowdstrike.SystemManufacturer | | keyword | +| crowdstrike.SystemProductName | | keyword | +| crowdstrike.SystemSerialNumber | | keyword | +| crowdstrike.SystemSku | | keyword | +| crowdstrike.SystemTableIndex | | long | +| crowdstrike.Tags | | keyword | +| crowdstrike.TargetFileName | | keyword | +| crowdstrike.TargetThreadId | | keyword | +| crowdstrike.Time | | date | +| crowdstrike.Timeout | | long | +| crowdstrike.TokenType | | keyword | +| crowdstrike.USN | | keyword | +| crowdstrike.UnixMode | | keyword | +| crowdstrike.UnsignedModuleLoadCount | | long | +| crowdstrike.UploadId | | keyword | +| crowdstrike.UserFlags | | keyword | +| crowdstrike.UserGroupsBitmask | | keyword | +| crowdstrike.UserLogoffType | | keyword | +| crowdstrike.UserLogonFlags | | keyword | +| crowdstrike.UserMemoryAllocateExecutableCount | | long | +| crowdstrike.UserMemoryAllocateExecutableRemoteCount | | long | +| crowdstrike.UserMemoryProtectExecutableCount | | long | +| crowdstrike.UserMemoryProtectExecutableRemoteCount | | long | +| crowdstrike.UserSid | | keyword | +| crowdstrike.UserTime | | long | +| crowdstrike.VerifiedCertificate | | keyword | +| crowdstrike.VnodeModificationType | | keyword | +| crowdstrike.VnodeType | | keyword | +| crowdstrike.VolumeAppearanceTime | | keyword | +| crowdstrike.VolumeBusName | | keyword | +| crowdstrike.VolumeBusPath | | keyword | +| crowdstrike.VolumeDeviceCharacteristics | | keyword | +| crowdstrike.VolumeDeviceInternal | | keyword | +| crowdstrike.VolumeDeviceModel | | keyword | +| crowdstrike.VolumeDeviceObjectFlags | | keyword | +| crowdstrike.VolumeDevicePath | | keyword | +| crowdstrike.VolumeDeviceProtocol | | keyword | +| crowdstrike.VolumeDeviceRevision | | keyword | +| crowdstrike.VolumeDeviceType | | keyword | +| crowdstrike.VolumeDriveLetter | | keyword | +| crowdstrike.VolumeFileSystemDevice | | keyword | +| crowdstrike.VolumeFileSystemDriver | | keyword | +| crowdstrike.VolumeFileSystemType | | keyword | +| crowdstrike.VolumeIsEncrypted | | keyword | +| crowdstrike.VolumeIsNetwork | | keyword | +| crowdstrike.VolumeMediaBSDMajor | | keyword | +| crowdstrike.VolumeMediaBSDMinor | | keyword | +| crowdstrike.VolumeMediaBSDName | | keyword | +| crowdstrike.VolumeMediaBSDUnit | | keyword | +| crowdstrike.VolumeMediaContent | | keyword | +| crowdstrike.VolumeMediaEjectable | | keyword | +| crowdstrike.VolumeMediaName | | keyword | +| crowdstrike.VolumeMediaPath | | keyword | +| crowdstrike.VolumeMediaRemovable | | keyword | +| crowdstrike.VolumeMediaSize | | keyword | +| crowdstrike.VolumeMediaUUID | | keyword | +| crowdstrike.VolumeMediaWhole | | keyword | +| crowdstrike.VolumeMediaWritable | | keyword | +| crowdstrike.VolumeMountPoint | | keyword | +| crowdstrike.VolumeName | | keyword | +| crowdstrike.VolumeRealDeviceName | | keyword | +| crowdstrike.VolumeSectorSize | | keyword | +| crowdstrike.VolumeType | | keyword | +| crowdstrike.VolumeUUID | | keyword | +| crowdstrike.WindowFlags | | keyword | +| crowdstrike.cid | | keyword | +| crowdstrike.name | | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.device | Device that is the source of the file. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| input.type | | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.address | | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.continent_name | Name of the continent. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| observer.geo.region_iso_code | Region ISO code. | keyword | +| observer.geo.region_name | Region name. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| os.version | Operating system version as a raw string. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +An example event for `fdr` looks as following: + +```json +{ + "@timestamp": "2020-11-08T09:58:32.519Z", + "agent": { + "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "crowdstrike": { + "ConfigStateHash": "1763245019", + "DesiredAccess": "1179785", + "EffectiveTransmissionClass": "3", + "Entitlements": "15", + "FileAttributes": "0", + "FileObject": "18446670458156489088", + "Information": "1", + "IrpFlags": "2180", + "MajorFunction": "0", + "MinorFunction": "0", + "OperationFlags": "0", + "Options": "16777312", + "ShareAccess": "5", + "Status": "0", + "cid": "ffffffff30a3407dae27d0503611022d", + "name": "RansomwareOpenFileV4" + }, + "data_stream": { + "dataset": "crowdstrike.fdr", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "RansomwareOpenFile", + "agent_id_status": "verified", + "category": [ + "file" + ], + "created": "2020-11-08T17:07:22.091Z", + "dataset": "crowdstrike.fdr", + "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", + "ingested": "2022-05-09T16:39:37Z", + "kind": "alert", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", + "outcome": "success", + "timezone": "+00:00", + "type": [ + "access" + ] + }, + "file": { + "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", + "extension": "pptx", + "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", + "name": "file.pptx", + "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", + "type": "file" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/fdr-sample.log" + }, + "offset": 95203 + }, + "observer": { + "address": "67.43.156.14", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "serial_number": "ffffffffac4148947ed68497e89f3308", + "type": "agent", + "vendor": "crowdstrike", + "version": "1007.3.0011603.1" + }, + "os": { + "type": "windows" + }, + "process": { + "entity_id": "1016182570608", + "thread": { + "id": 37343520154472 + } + }, + "related": { + "hash": [ + "1763245019" + ], + "hosts": [ + "67.43.156.14" + ], + "ip": [ + "67.43.156.14" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "crowdstrike-fdr" + ], + "url": { + "scheme": "http" + } +} +``` diff --git a/packages/crowdstrike/1.3.2/img/fdr-overview.png b/packages/crowdstrike/1.3.2/img/fdr-overview.png new file mode 100755 index 0000000000..a960bc3781 Binary files /dev/null and b/packages/crowdstrike/1.3.2/img/fdr-overview.png differ diff --git a/packages/crowdstrike/1.3.2/img/logo-integrations-crowdstrike.svg b/packages/crowdstrike/1.3.2/img/logo-integrations-crowdstrike.svg new file mode 100755 index 0000000000..1b2195a224 --- /dev/null +++ b/packages/crowdstrike/1.3.2/img/logo-integrations-crowdstrike.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/crowdstrike/1.3.2/img/siem-alerts-cs.jpg b/packages/crowdstrike/1.3.2/img/siem-alerts-cs.jpg new file mode 100755 index 0000000000..b74edfe229 Binary files /dev/null and b/packages/crowdstrike/1.3.2/img/siem-alerts-cs.jpg differ diff --git a/packages/crowdstrike/1.3.2/img/siem-events-cs.jpg b/packages/crowdstrike/1.3.2/img/siem-events-cs.jpg new file mode 100755 index 0000000000..9839f73821 Binary files /dev/null and b/packages/crowdstrike/1.3.2/img/siem-events-cs.jpg differ diff --git a/packages/crowdstrike/1.3.2/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json b/packages/crowdstrike/1.3.2/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json new file mode 100755 index 0000000000..a8960ff152 --- /dev/null +++ b/packages/crowdstrike/1.3.2/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "description": "Summarised overview for Crowdstrike FDR events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"0307e118-9fac-4923-ad6e-b588a8bd939f\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"observer.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"4c8af7e5-4ec6-43de-84ea-8df092cea5f8\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"6b7c69d1-9248-4af3-b437-0abcef344b67\\\",\\\"label\\\":\\\"Agent locations\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"0314931e-5e8d-4609-be8a-b478a6afed11\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#494193\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"1b3c966b-6756-41dc-8875-a936e36dd0c2\\\",\\\"label\\\":\\\"Connections\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15M\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":25.7461,\"lon\":0,\"zoom\":0.73},\"openTOCDetails\":[]},\"gridData\":{\"h\":17,\"i\":\"26961648-cc31-4ed6-a378-698523307b21\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"26961648-cc31-4ed6-a378-698523307b21\",\"title\":\"Agents and connections\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1928976e-020d-48bd-9887-d9fd1925f69e\":{\"columnOrder\":[\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"5ec733a8-d11d-472d-9328-3c48b41a17ac\"],\"columns\":{\"5ec733a8-d11d-472d-9328-3c48b41a17ac\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7aaadac8-55b7-4979-9bf1-b02a9673b502\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top events\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":true,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"isTransposed\":false,\"summaryRow\":\"none\"}],\"layerId\":\"1928976e-020d-48bd-9887-d9fd1925f69e\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"w\":10,\"x\":16,\"y\":0},\"panelIndex\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"085f4952-432b-4bd3-9740-e99f42a7877b\":{\"columnOrder\":[\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"0a3ada5d-923b-461b-8885-e7fdcd948034\"],\"columns\":{\"0a3ada5d-923b-461b-8885-e7fdcd948034\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"DnsRequest\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"DnsRequest\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"isTransposed\":false}],\"layerId\":\"085f4952-432b-4bd3-9740-e99f42a7877b\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"w\":9,\"x\":26,\"y\":9},\"panelIndex\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"title\":\"Top DNS queries\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"880420b9-97fb-4f5a-8dd2-36f95cb02182\":{\"columnOrder\":[\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"c90d7c88-034f-42f4-94d2-605ae294940e\"],\"columns\":{\"45f3413c-e658-43ec-bf3a-ad25977fb32c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"c90d7c88-034f-42f4-94d2-605ae294940e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"isTransposed\":false},{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"hidden\":false,\"isTransposed\":false}],\"layerId\":\"880420b9-97fb-4f5a-8dd2-36f95cb02182\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"title\":\"Top users\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\":{\"columnOrder\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\",\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\"],\"columns\":{\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of dns.question.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\"},\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\"],\"layerId\":\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"legendDisplay\":\"default\",\"metric\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"757dd906-982e-437f-aac0-b090310b9288\",\"w\":9,\"x\":26,\"y\":20},\"panelIndex\":\"757dd906-982e-437f-aac0-b090310b9288\",\"title\":\"DNS query types\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8088761-74a6-433a-a405-f26c709cebe3\":{\"columnOrder\":[\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\"],\"columns\":{\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"file.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"file.name\"},\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"isTransposed\":false},{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"isTransposed\":false}],\"layerId\":\"c8088761-74a6-433a-a405-f26c709cebe3\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"w\":13,\"x\":35,\"y\":12},\"panelIndex\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"911bafb0-aeb7-4830-8a40-6166c96fb123\":{\"columnOrder\":[\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\",\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"columns\":{\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"layerId\":\"911bafb0-aeb7-4830-8a40-6166c96fb123\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"w\":26,\"x\":0,\"y\":17},\"panelIndex\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\":{\"columnOrder\":[\"b00df131-3742-4fa3-8645-032847f0266b\",\"b89debc2-4203-43c7-ba15-6612030f67bd\"],\"columns\":{\"b00df131-3742-4fa3-8645-032847f0266b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top alerts\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"b89debc2-4203-43c7-ba15-6612030f67bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b00df131-3742-4fa3-8645-032847f0266b\",\"isTransposed\":false},{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"isTransposed\":false}],\"layerId\":\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"w\":9,\"x\":26,\"y\":0},\"panelIndex\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Crowdstrike] FDR Overview", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f", + "migrationVersion": { + "dashboard": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "26961648-cc31-4ed6-a378-698523307b21:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26961648-cc31-4ed6-a378-698523307b21:layer_2_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:filter-index-pattern-0", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.2/manifest.yml b/packages/crowdstrike/1.3.2/manifest.yml new file mode 100755 index 0000000000..736dfdaf45 --- /dev/null +++ b/packages/crowdstrike/1.3.2/manifest.yml @@ -0,0 +1,42 @@ +name: crowdstrike +title: CrowdStrike Logs +version: "1.3.2" +description: Collect and parse falcon logs from Crowdstrike products with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/logo-integrations-crowdstrike.svg + title: CrowdStrike + size: 216x216 + type: image/svg+xml +screenshots: + - src: /img/siem-alerts-cs.jpg + title: CrowdStrike SIEM Alerts + size: 3360x1776 + type: image/jpg + - src: /img/siem-events-cs.jpg + title: CrowdStrike SIEM Events + size: 3360x1776 + type: image/jpg + - src: /img/fdr-overview.png + title: CrowdStrike FDR Overview + size: 1535x626 + type: image/png +policy_templates: + - name: crowdstrike + title: CrowdStrike + description: Collect logs from CrowdStrike Falcon and FDR + inputs: + - type: logfile + title: "Collect CrowdStrike Falcon and FDR logs (input: logfile)" + description: "Collecting logs from CrowdStrike Falcon and FDR (input: logfile)" + - type: aws-s3 + title: "Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3)" + description: "Collecting logs from CrowdStrike Falcon Data Replicator (input: aws-s3)" +owner: + github: elastic/security-external-integrations diff --git a/packages/cylance/0.8.1/changelog.yml b/packages/cylance/0.8.1/changelog.yml new file mode 100755 index 0000000000..0658b99d1d --- /dev/null +++ b/packages/cylance/0.8.1/changelog.yml @@ -0,0 +1,91 @@ +# newer versions go on top +- version: "0.8.1" + changes: + - description: Format host.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3368 +- version: "0.8.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "0.7.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2583 +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.6.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2228 +- version: "0.5.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2025 +- version: "0.5.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1963 +- version: "0.5.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.5.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1815 +- version: "0.5.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1658 +- version: "0.4.3" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.4.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1475 +- version: '0.4.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1381 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1261 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1040 +- version: "0.1.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/843 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/cylance/0.8.1/data_stream/protect/agent/stream/stream.yml.hbs b/packages/cylance/0.8.1/data_stream/protect/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..d128dbb819 --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/agent/stream/stream.yml.hbs @@ -0,0 +1,3592 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + + var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var dup5 = setc("eventcategory","1901000000"); + + var dup6 = setc("vendor_event_cat"," AuditLog"); + + var dup7 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup8 = field("event_type"); + + var dup9 = field("event_cat"); + + var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var dup18 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], + }); + + var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var dup20 = constant("1701000000"); + + var dup21 = constant("1804000000"); + + var dup22 = constant("1003010000"); + + var dup23 = linear_select([ + dup3, + dup4, + ]); + + var dup24 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup8, + }); + + var dup25 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup9, + }); + + var dup26 = linear_select([ + dup11, + dup12, + ]); + + var dup27 = linear_select([ + dup14, + dup15, + ]); + + var dup28 = linear_select([ + dup16, + dup17, + ]); + + var dup29 = linear_select([ + dup19, + dup13, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + + var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); + + var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); + + var select2 = linear_select([ + part2, + part3, + ]); + + var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); + + var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); + + var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); + + var select3 = linear_select([ + part5, + part6, + ]); + + var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all1 = all_match({ + processors: [ + dup2, + dup23, + part1, + select2, + part4, + select3, + part7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg1 = msg("CylancePROTECT:01", all1); + + var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + + var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + + var select4 = linear_select([ + part8, + part9, + ]); + + var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); + + var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); + + var select5 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); + + var all2 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select4, + select5, + part12, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg2 = msg("CylancePROTECT:02", all2); + + var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + + var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + + var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + + var select6 = linear_select([ + part13, + part14, + part15, + ]); + + var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all3 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg3 = msg("CylancePROTECT:03", all3); + + var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all4 = all_match({ + processors: [ + dup2, + dup23, + part17, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg4 = msg("CylancePROTECT:04", all4); + + var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + + var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + + var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + + var select7 = linear_select([ + part18, + part19, + part20, + ]); + + var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + + var all5 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select7, + part21, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg5 = msg("CylancePROTECT:05", all5); + + var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + + var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + + var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + + var select8 = linear_select([ + part23, + part24, + ]); + + var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); + + var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); + + var select9 = linear_select([ + part25, + part26, + ]); + + var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); + + var all6 = all_match({ + processors: [ + dup2, + dup23, + part22, + select8, + select9, + part27, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg6 = msg("CylancePROTECT:06", all6); + + var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + + var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + + var select10 = linear_select([ + part28, + part29, + ]); + + var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + + var all7 = all_match({ + processors: [ + dup2, + select10, + part30, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ExploitAttempt"), + dup7, + dup24, + dup25, + ]), + }); + + var msg7 = msg("CylancePROTECT:07", all7); + + var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + + var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + + var select11 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + + var all8 = all_match({ + processors: [ + dup2, + select11, + part33, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," DeviceControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg8 = msg("CylancePROTECT:08", all8); + + var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + + var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + + var select12 = linear_select([ + part35, + dup13, + ]); + + var all9 = all_match({ + processors: [ + dup2, + dup26, + part34, + select12, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ScriptControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg9 = msg("CylancePROTECT:09", all9); + + var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + + var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); + + var select13 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + + var all10 = all_match({ + processors: [ + dup2, + select13, + part38, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," Threat"), + dup7, + dup24, + dup25, + ]), + }); + + var msg10 = msg("CylancePROTECT:10", all10); + + var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + + var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); + + var select14 = linear_select([ + part39, + part40, + ]); + + var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + + var all11 = all_match({ + processors: [ + dup2, + select14, + part41, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," AppControl"), + dup24, + dup25, + ]), + }); + + var msg11 = msg("CylancePROTECT:11", all11); + + var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + + var all12 = all_match({ + processors: [ + dup2, + dup27, + part42, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg12 = msg("CylancePROTECT:15", all12); + + var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all13 = all_match({ + processors: [ + dup2, + dup27, + part43, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg13 = msg("CylancePROTECT:14", all13); + + var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup27, + part44, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg14 = msg("CylancePROTECT:13", all14); + + var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + + var all15 = all_match({ + processors: [ + dup2, + dup27, + part45, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg15 = msg("CylancePROTECT:16", all15); + + var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + + var all16 = all_match({ + processors: [ + dup2, + dup26, + part46, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg16 = msg("CylancePROTECT:25", all16); + + var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + + var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + + var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + + var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); + + var select15 = linear_select([ + part48, + part49, + part50, + ]); + + var all17 = all_match({ + processors: [ + dup2, + dup27, + part47, + select15, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg17 = msg("CylancePROTECT:12", all17); + + var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + + var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + + var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); + + var select16 = linear_select([ + part52, + part53, + ]); + + var all18 = all_match({ + processors: [ + part51, + select16, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg18 = msg("CylancePROTECT:17", all18); + + var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg19 = msg("CylancePROTECT:18", part54); + + var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + + var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); + + var select17 = linear_select([ + part56, + dup13, + ]); + + var all19 = all_match({ + processors: [ + part55, + select17, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg20 = msg("CylancePROTECT:19", all19); + + var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + + var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + + var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + + var select18 = linear_select([ + part58, + part59, + ]); + + var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); + + var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); + + var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); + + var select19 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + + var all20 = all_match({ + processors: [ + part57, + select18, + part60, + select19, + part63, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg21 = msg("CylancePROTECT:20", all20); + + var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), + ])); + + var msg22 = msg("CylancePROTECT:21", part64); + + var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + + var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + + var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + + var select20 = linear_select([ + part66, + part67, + ]); + + var all21 = all_match({ + processors: [ + part65, + select20, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg23 = msg("CylancePROTECT:22", all21); + + var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg24 = msg("CylancePROTECT:23", part68); + + var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + + var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); + + var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); + + var select21 = linear_select([ + part70, + part71, + ]); + + var all22 = all_match({ + processors: [ + part69, + select21, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg25 = msg("CylancePROTECT:24", all22); + + var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var all23 = all_match({ + processors: [ + part72, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg26 = msg("CylancePROTECT:26", all23); + + var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + + var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + + var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + + var select22 = linear_select([ + part74, + part75, + ]); + + var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + + var select23 = linear_select([ + part77, + dup13, + ]); + + var all24 = all_match({ + processors: [ + part73, + select22, + part76, + select23, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg27 = msg("CylancePROTECT:27", all24); + + var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + + var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); + + var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); + + var select24 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); + + var all25 = all_match({ + processors: [ + part78, + select24, + part81, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg28 = msg("CylancePROTECT:28", all25); + + var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), + ]); + + var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + + var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var select26 = linear_select([ + dup3, + dup4, + ]); + + var select27 = linear_select([ + dup11, + dup12, + ]); + + var select28 = linear_select([ + dup14, + dup15, + ]); + + var select29 = linear_select([ + dup16, + dup17, + ]); + + var select30 = linear_select([ + dup19, + dup13, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cylance/0.8.1/data_stream/protect/agent/stream/tcp.yml.hbs b/packages/cylance/0.8.1/data_stream/protect/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..b01c278ac2 --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/agent/stream/tcp.yml.hbs @@ -0,0 +1,3589 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + + var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var dup5 = setc("eventcategory","1901000000"); + + var dup6 = setc("vendor_event_cat"," AuditLog"); + + var dup7 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup8 = field("event_type"); + + var dup9 = field("event_cat"); + + var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var dup18 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], + }); + + var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var dup20 = constant("1701000000"); + + var dup21 = constant("1804000000"); + + var dup22 = constant("1003010000"); + + var dup23 = linear_select([ + dup3, + dup4, + ]); + + var dup24 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup8, + }); + + var dup25 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup9, + }); + + var dup26 = linear_select([ + dup11, + dup12, + ]); + + var dup27 = linear_select([ + dup14, + dup15, + ]); + + var dup28 = linear_select([ + dup16, + dup17, + ]); + + var dup29 = linear_select([ + dup19, + dup13, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + + var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); + + var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); + + var select2 = linear_select([ + part2, + part3, + ]); + + var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); + + var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); + + var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); + + var select3 = linear_select([ + part5, + part6, + ]); + + var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all1 = all_match({ + processors: [ + dup2, + dup23, + part1, + select2, + part4, + select3, + part7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg1 = msg("CylancePROTECT:01", all1); + + var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + + var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + + var select4 = linear_select([ + part8, + part9, + ]); + + var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); + + var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); + + var select5 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); + + var all2 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select4, + select5, + part12, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg2 = msg("CylancePROTECT:02", all2); + + var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + + var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + + var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + + var select6 = linear_select([ + part13, + part14, + part15, + ]); + + var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all3 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg3 = msg("CylancePROTECT:03", all3); + + var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all4 = all_match({ + processors: [ + dup2, + dup23, + part17, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg4 = msg("CylancePROTECT:04", all4); + + var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + + var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + + var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + + var select7 = linear_select([ + part18, + part19, + part20, + ]); + + var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + + var all5 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select7, + part21, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg5 = msg("CylancePROTECT:05", all5); + + var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + + var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + + var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + + var select8 = linear_select([ + part23, + part24, + ]); + + var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); + + var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); + + var select9 = linear_select([ + part25, + part26, + ]); + + var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); + + var all6 = all_match({ + processors: [ + dup2, + dup23, + part22, + select8, + select9, + part27, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg6 = msg("CylancePROTECT:06", all6); + + var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + + var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + + var select10 = linear_select([ + part28, + part29, + ]); + + var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + + var all7 = all_match({ + processors: [ + dup2, + select10, + part30, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ExploitAttempt"), + dup7, + dup24, + dup25, + ]), + }); + + var msg7 = msg("CylancePROTECT:07", all7); + + var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + + var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + + var select11 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + + var all8 = all_match({ + processors: [ + dup2, + select11, + part33, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," DeviceControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg8 = msg("CylancePROTECT:08", all8); + + var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + + var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + + var select12 = linear_select([ + part35, + dup13, + ]); + + var all9 = all_match({ + processors: [ + dup2, + dup26, + part34, + select12, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ScriptControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg9 = msg("CylancePROTECT:09", all9); + + var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + + var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); + + var select13 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + + var all10 = all_match({ + processors: [ + dup2, + select13, + part38, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," Threat"), + dup7, + dup24, + dup25, + ]), + }); + + var msg10 = msg("CylancePROTECT:10", all10); + + var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + + var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); + + var select14 = linear_select([ + part39, + part40, + ]); + + var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + + var all11 = all_match({ + processors: [ + dup2, + select14, + part41, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," AppControl"), + dup24, + dup25, + ]), + }); + + var msg11 = msg("CylancePROTECT:11", all11); + + var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + + var all12 = all_match({ + processors: [ + dup2, + dup27, + part42, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg12 = msg("CylancePROTECT:15", all12); + + var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all13 = all_match({ + processors: [ + dup2, + dup27, + part43, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg13 = msg("CylancePROTECT:14", all13); + + var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup27, + part44, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg14 = msg("CylancePROTECT:13", all14); + + var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + + var all15 = all_match({ + processors: [ + dup2, + dup27, + part45, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg15 = msg("CylancePROTECT:16", all15); + + var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + + var all16 = all_match({ + processors: [ + dup2, + dup26, + part46, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg16 = msg("CylancePROTECT:25", all16); + + var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + + var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + + var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + + var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); + + var select15 = linear_select([ + part48, + part49, + part50, + ]); + + var all17 = all_match({ + processors: [ + dup2, + dup27, + part47, + select15, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg17 = msg("CylancePROTECT:12", all17); + + var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + + var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + + var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); + + var select16 = linear_select([ + part52, + part53, + ]); + + var all18 = all_match({ + processors: [ + part51, + select16, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg18 = msg("CylancePROTECT:17", all18); + + var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg19 = msg("CylancePROTECT:18", part54); + + var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + + var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); + + var select17 = linear_select([ + part56, + dup13, + ]); + + var all19 = all_match({ + processors: [ + part55, + select17, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg20 = msg("CylancePROTECT:19", all19); + + var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + + var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + + var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + + var select18 = linear_select([ + part58, + part59, + ]); + + var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); + + var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); + + var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); + + var select19 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + + var all20 = all_match({ + processors: [ + part57, + select18, + part60, + select19, + part63, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg21 = msg("CylancePROTECT:20", all20); + + var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), + ])); + + var msg22 = msg("CylancePROTECT:21", part64); + + var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + + var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + + var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + + var select20 = linear_select([ + part66, + part67, + ]); + + var all21 = all_match({ + processors: [ + part65, + select20, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg23 = msg("CylancePROTECT:22", all21); + + var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg24 = msg("CylancePROTECT:23", part68); + + var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + + var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); + + var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); + + var select21 = linear_select([ + part70, + part71, + ]); + + var all22 = all_match({ + processors: [ + part69, + select21, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg25 = msg("CylancePROTECT:24", all22); + + var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var all23 = all_match({ + processors: [ + part72, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg26 = msg("CylancePROTECT:26", all23); + + var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + + var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + + var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + + var select22 = linear_select([ + part74, + part75, + ]); + + var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + + var select23 = linear_select([ + part77, + dup13, + ]); + + var all24 = all_match({ + processors: [ + part73, + select22, + part76, + select23, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg27 = msg("CylancePROTECT:27", all24); + + var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + + var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); + + var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); + + var select24 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); + + var all25 = all_match({ + processors: [ + part78, + select24, + part81, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg28 = msg("CylancePROTECT:28", all25); + + var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), + ]); + + var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + + var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var select26 = linear_select([ + dup3, + dup4, + ]); + + var select27 = linear_select([ + dup11, + dup12, + ]); + + var select28 = linear_select([ + dup14, + dup15, + ]); + + var select29 = linear_select([ + dup16, + dup17, + ]); + + var select30 = linear_select([ + dup19, + dup13, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cylance/0.8.1/data_stream/protect/agent/stream/udp.yml.hbs b/packages/cylance/0.8.1/data_stream/protect/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..85eadd5d19 --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/agent/stream/udp.yml.hbs @@ -0,0 +1,3589 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + + var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var dup5 = setc("eventcategory","1901000000"); + + var dup6 = setc("vendor_event_cat"," AuditLog"); + + var dup7 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup8 = field("event_type"); + + var dup9 = field("event_cat"); + + var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var dup18 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], + }); + + var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var dup20 = constant("1701000000"); + + var dup21 = constant("1804000000"); + + var dup22 = constant("1003010000"); + + var dup23 = linear_select([ + dup3, + dup4, + ]); + + var dup24 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup8, + }); + + var dup25 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup9, + }); + + var dup26 = linear_select([ + dup11, + dup12, + ]); + + var dup27 = linear_select([ + dup14, + dup15, + ]); + + var dup28 = linear_select([ + dup16, + dup17, + ]); + + var dup29 = linear_select([ + dup19, + dup13, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + + var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); + + var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); + + var select2 = linear_select([ + part2, + part3, + ]); + + var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); + + var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); + + var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); + + var select3 = linear_select([ + part5, + part6, + ]); + + var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all1 = all_match({ + processors: [ + dup2, + dup23, + part1, + select2, + part4, + select3, + part7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg1 = msg("CylancePROTECT:01", all1); + + var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + + var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + + var select4 = linear_select([ + part8, + part9, + ]); + + var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); + + var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); + + var select5 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); + + var all2 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select4, + select5, + part12, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg2 = msg("CylancePROTECT:02", all2); + + var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + + var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + + var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + + var select6 = linear_select([ + part13, + part14, + part15, + ]); + + var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all3 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg3 = msg("CylancePROTECT:03", all3); + + var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all4 = all_match({ + processors: [ + dup2, + dup23, + part17, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg4 = msg("CylancePROTECT:04", all4); + + var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + + var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + + var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + + var select7 = linear_select([ + part18, + part19, + part20, + ]); + + var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + + var all5 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select7, + part21, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg5 = msg("CylancePROTECT:05", all5); + + var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + + var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + + var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + + var select8 = linear_select([ + part23, + part24, + ]); + + var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); + + var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); + + var select9 = linear_select([ + part25, + part26, + ]); + + var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); + + var all6 = all_match({ + processors: [ + dup2, + dup23, + part22, + select8, + select9, + part27, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg6 = msg("CylancePROTECT:06", all6); + + var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + + var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + + var select10 = linear_select([ + part28, + part29, + ]); + + var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + + var all7 = all_match({ + processors: [ + dup2, + select10, + part30, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ExploitAttempt"), + dup7, + dup24, + dup25, + ]), + }); + + var msg7 = msg("CylancePROTECT:07", all7); + + var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + + var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + + var select11 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + + var all8 = all_match({ + processors: [ + dup2, + select11, + part33, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," DeviceControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg8 = msg("CylancePROTECT:08", all8); + + var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + + var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + + var select12 = linear_select([ + part35, + dup13, + ]); + + var all9 = all_match({ + processors: [ + dup2, + dup26, + part34, + select12, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ScriptControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg9 = msg("CylancePROTECT:09", all9); + + var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + + var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); + + var select13 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + + var all10 = all_match({ + processors: [ + dup2, + select13, + part38, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," Threat"), + dup7, + dup24, + dup25, + ]), + }); + + var msg10 = msg("CylancePROTECT:10", all10); + + var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + + var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); + + var select14 = linear_select([ + part39, + part40, + ]); + + var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + + var all11 = all_match({ + processors: [ + dup2, + select14, + part41, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," AppControl"), + dup24, + dup25, + ]), + }); + + var msg11 = msg("CylancePROTECT:11", all11); + + var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + + var all12 = all_match({ + processors: [ + dup2, + dup27, + part42, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg12 = msg("CylancePROTECT:15", all12); + + var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all13 = all_match({ + processors: [ + dup2, + dup27, + part43, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg13 = msg("CylancePROTECT:14", all13); + + var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup27, + part44, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg14 = msg("CylancePROTECT:13", all14); + + var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + + var all15 = all_match({ + processors: [ + dup2, + dup27, + part45, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg15 = msg("CylancePROTECT:16", all15); + + var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + + var all16 = all_match({ + processors: [ + dup2, + dup26, + part46, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg16 = msg("CylancePROTECT:25", all16); + + var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + + var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + + var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + + var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); + + var select15 = linear_select([ + part48, + part49, + part50, + ]); + + var all17 = all_match({ + processors: [ + dup2, + dup27, + part47, + select15, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg17 = msg("CylancePROTECT:12", all17); + + var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + + var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + + var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); + + var select16 = linear_select([ + part52, + part53, + ]); + + var all18 = all_match({ + processors: [ + part51, + select16, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg18 = msg("CylancePROTECT:17", all18); + + var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg19 = msg("CylancePROTECT:18", part54); + + var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + + var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); + + var select17 = linear_select([ + part56, + dup13, + ]); + + var all19 = all_match({ + processors: [ + part55, + select17, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg20 = msg("CylancePROTECT:19", all19); + + var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + + var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + + var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + + var select18 = linear_select([ + part58, + part59, + ]); + + var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); + + var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); + + var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); + + var select19 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + + var all20 = all_match({ + processors: [ + part57, + select18, + part60, + select19, + part63, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg21 = msg("CylancePROTECT:20", all20); + + var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), + ])); + + var msg22 = msg("CylancePROTECT:21", part64); + + var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + + var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + + var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + + var select20 = linear_select([ + part66, + part67, + ]); + + var all21 = all_match({ + processors: [ + part65, + select20, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg23 = msg("CylancePROTECT:22", all21); + + var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg24 = msg("CylancePROTECT:23", part68); + + var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + + var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); + + var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); + + var select21 = linear_select([ + part70, + part71, + ]); + + var all22 = all_match({ + processors: [ + part69, + select21, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg25 = msg("CylancePROTECT:24", all22); + + var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var all23 = all_match({ + processors: [ + part72, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg26 = msg("CylancePROTECT:26", all23); + + var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + + var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + + var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + + var select22 = linear_select([ + part74, + part75, + ]); + + var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + + var select23 = linear_select([ + part77, + dup13, + ]); + + var all24 = all_match({ + processors: [ + part73, + select22, + part76, + select23, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg27 = msg("CylancePROTECT:27", all24); + + var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + + var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); + + var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); + + var select24 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); + + var all25 = all_match({ + processors: [ + part78, + select24, + part81, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg28 = msg("CylancePROTECT:28", all25); + + var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), + ]); + + var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + + var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var select26 = linear_select([ + dup3, + dup4, + ]); + + var select27 = linear_select([ + dup11, + dup12, + ]); + + var select28 = linear_select([ + dup14, + dup15, + ]); + + var select29 = linear_select([ + dup16, + dup17, + ]); + + var select30 = linear_select([ + dup19, + dup13, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cylance/0.8.1/data_stream/protect/elasticsearch/ingest_pipeline/default.yml b/packages/cylance/0.8.1/data_stream/protect/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..451e19a92d --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,82 @@ +--- +description: Pipeline for CylanceProtect + +processors: + - set: + field: ecs.version + value: '8.2.0' + - gsub: + field: host.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: host.mac + ignore_missing: true + - script: + description: Convert host.mac to an array. + if: ctx.host?.mac != null && ctx.host.mac instanceof String + lang: painless + source: + ctx.host.mac = [ctx.host.mac]; + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cylance/0.8.1/data_stream/protect/fields/base-fields.yml b/packages/cylance/0.8.1/data_stream/protect/fields/base-fields.yml new file mode 100755 index 0000000000..f7a828b753 --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cylance +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cylance.protect +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/cylance/0.8.1/data_stream/protect/fields/ecs.yml b/packages/cylance/0.8.1/data_stream/protect/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/cylance/0.8.1/data_stream/protect/fields/fields.yml b/packages/cylance/0.8.1/data_stream/protect/fields/fields.yml new file mode 100755 index 0000000000..489a873293 --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/cylance/0.8.1/data_stream/protect/manifest.yml b/packages/cylance/0.8.1/data_stream/protect/manifest.yml new file mode 100755 index 0000000000..842a9e3ea5 --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/manifest.yml @@ -0,0 +1,204 @@ +title: CylanceProtect logs +release: experimental +type: logs +streams: + - input: udp + title: CylanceProtect logs + description: Collect CylanceProtect logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cylance-protect + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9529 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: CylanceProtect logs + description: Collect CylanceProtect logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cylance-protect + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9529 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: CylanceProtect logs + description: Collect CylanceProtect logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cylance-protect.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cylance-protect + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cylance/0.8.1/data_stream/protect/sample_event.json b/packages/cylance/0.8.1/data_stream/protect/sample_event.json new file mode 100755 index 0000000000..770512969e --- /dev/null +++ b/packages/cylance/0.8.1/data_stream/protect/sample_event.json @@ -0,0 +1,85 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "59f54338-3ade-4554-a66e-005e3f777eec", + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.3" + }, + "data_stream": { + "dataset": "cylance.protect", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "snapshot": false, + "version": "8.1.3" + }, + "event": { + "action": "ZoneAdd", + "agent_id_status": "verified", + "code": "CylancePROTECT", + "dataset": "cylance.protect", + "ingested": "2022-05-17T13:06:35Z", + "original": "29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore \u003c\u003csequa\u003eabo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo)", + "timezone": "+00:00" + }, + "host": { + "name": "nostrud4819.mail.test" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:40993" + } + }, + "observer": { + "product": "Protect", + "type": "Anti-Virus", + "vendor": "Cylance" + }, + "related": { + "hosts": [ + "nostrud4819.mail.test" + ] + }, + "rsa": { + "identity": { + "firstname": "uii", + "lastname": "umexe" + }, + "internal": { + "messageid": "CylancePROTECT" + }, + "investigations": { + "event_cat": 1901000000, + "event_cat_name": "Other.Default", + "event_vcat": " AuditLog" + }, + "misc": { + "event_type": "ZoneAdd", + "mail_id": "estlabo", + "node": "pisciv", + "policy_name": "orev" + }, + "network": { + "alias_host": [ + "nostrud4819.mail.test" + ] + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] +} \ No newline at end of file diff --git a/packages/cylance/0.8.1/docs/README.md b/packages/cylance/0.8.1/docs/README.md new file mode 100755 index 0000000000..dac5c1e3bf --- /dev/null +++ b/packages/cylance/0.8.1/docs/README.md @@ -0,0 +1,796 @@ +# Cylance integration + +This integration is for Cylance device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: +- `protect` dataset: supports CylanceProtect logs. + +### Protect + +The `protect` dataset collects CylanceProtect logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + diff --git a/packages/cylance/0.8.1/img/logo.svg b/packages/cylance/0.8.1/img/logo.svg new file mode 100755 index 0000000000..ccd6004d19 --- /dev/null +++ b/packages/cylance/0.8.1/img/logo.svg @@ -0,0 +1,82 @@ + + + + +Cylance_BB_Logo_RGB_Vert_Black + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/cylance/0.8.1/manifest.yml b/packages/cylance/0.8.1/manifest.yml new file mode 100755 index 0000000000..ecc403f9e8 --- /dev/null +++ b/packages/cylance/0.8.1/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: cylance +title: CylanceProtect Logs +version: "0.8.1" +description: Collect logs from CylanceProtect devices with Elastic Agent. +categories: ["security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: protect + title: CylanceProtect + description: Collect CylanceProtect logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from CylanceProtect via UDP + description: Collecting syslog from CylanceProtect via UDP + - type: tcp + title: Collect logs from CylanceProtect via TCP + description: Collecting syslog from CylanceProtect via TCP + - type: logfile + title: Collect logs from CylanceProtect via file + description: Collecting syslog from CylanceProtect via file. +icons: + - src: /img/logo.svg + title: CylanceProtect logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/fim/1.0.0/changelog.yml b/packages/fim/1.0.0/changelog.yml new file mode 100755 index 0000000000..e07ad471d7 --- /dev/null +++ b/packages/fim/1.0.0/changelog.yml @@ -0,0 +1,11 @@ +# newer versions go on top +- version: "1.0.0" + changes: + - description: "Make GA and compatible with 8.2" + type: enhancement + link: https://github.com/elastic/integrations/pull/3389 +- version: "0.1.0" + changes: + - description: Initial version + type: enhancement + link: https://github.com/elastic/integrations/pull/3143 diff --git a/packages/fim/1.0.0/data_stream/event/agent/stream/file_integrity.yml.hbs b/packages/fim/1.0.0/data_stream/event/agent/stream/file_integrity.yml.hbs new file mode 100755 index 0000000000..b849d82f35 --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/agent/stream/file_integrity.yml.hbs @@ -0,0 +1,33 @@ +type: audit/file_integrity +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +recursive: {{recursive}} +scan_at_start: {{scan_at_start}} +hash_types: +{{#each hash_types as |hash i|}} + - {{hash}} +{{/each}} +max_file_size: {{max_file_size}} +scan_rate_per_sec: {{scan_rate_per_sec}} +exclude_files: +{{#each exclude_files as |expr i|}} + - {{expr}} +{{/each}} +include_files: +{{#each include_files as |expr i|}} + - {{expr}} +{{/each}} +keep_null: {{keep_null}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/fim/1.0.0/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/fim/1.0.0/data_stream/event/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..6f32ffadf5 --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,10 @@ +--- +description: Pipeline for processing auditd events +processors: + - set: + field: ecs.version + value: 8.2.0 +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fim/1.0.0/data_stream/event/fields/agent.yml b/packages/fim/1.0.0/data_stream/event/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/fim/1.0.0/data_stream/event/fields/base-fields.yml b/packages/fim/1.0.0/data_stream/event/fields/base-fields.yml new file mode 100755 index 0000000000..0c26baedb3 --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/fields/base-fields.yml @@ -0,0 +1,25 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: file_integrity +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fim.event +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/fim/1.0.0/data_stream/event/fields/ecs.yml b/packages/fim/1.0.0/data_stream/event/fields/ecs.yml new file mode 100755 index 0000000000..1c4750f18d --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/fields/ecs.yml @@ -0,0 +1,259 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Primary group ID (GID) of the file. + name: file.gid + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + name: file.mime_type + type: keyword +- description: Mode of the file in octal representation. + name: file.mode + type: keyword +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Target path for symlinks. + multi_fields: + - name: text + type: match_only_text + name: file.target_path + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: The user ID (UID) or security identifier (SID) of the file owner. + name: file.uid + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Unique identifier for the group on the system/platform. + name: user.effective.group.id + type: keyword +- description: Name of the group. + name: user.effective.group.name + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/fim/1.0.0/data_stream/event/fields/package-fields.yml b/packages/fim/1.0.0/data_stream/event/fields/package-fields.yml new file mode 100755 index 0000000000..69aaa4e9cc --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/fields/package-fields.yml @@ -0,0 +1,22 @@ +- name: file + type: group + description: File attributes. + fields: + - name: setuid + type: boolean + example: true + description: Set if the file has the `setuid` bit set. Omitted otherwise. + - name: setgid + type: boolean + example: true + description: Set if the file has the `setgid` bit set. Omitted otherwise. + - name: origin + type: keyword + description: > + An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available. + + multi_fields: + - name: text + type: text + description: >- + This is an analyzed field that is useful for full text search on the origin data. diff --git a/packages/fim/1.0.0/data_stream/event/manifest.yml b/packages/fim/1.0.0/data_stream/event/manifest.yml new file mode 100755 index 0000000000..9ae128e183 --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/manifest.yml @@ -0,0 +1,7 @@ +title: "Filesystem events" +type: logs +streams: + - input: audit/file_integrity + title: Filesystem events + description: Collect filesystem events + template_path: file_integrity.yml.hbs diff --git a/packages/fim/1.0.0/data_stream/event/sample_event.json b/packages/fim/1.0.0/data_stream/event/sample_event.json new file mode 100755 index 0000000000..cad238a1e2 --- /dev/null +++ b/packages/fim/1.0.0/data_stream/event/sample_event.json @@ -0,0 +1,64 @@ +{ + "@timestamp": "2022-04-20T09:02:19.365Z", + "agent": { + "ephemeral_id": "5c919e9b-3b1f-4426-b93f-f5705bac73f9", + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "name": "docker-fleet-agent", + "type": "auditbeat", + "version": "8.3.0" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "snapshot": true, + "version": "8.3.0" + }, + "data_stream": { + "dataset": "fim.event", + "namespace": "ep", + "type": "logs" + }, + "event": { + "action": [ + "attributes_modified" + ], + "agent_id_status": "verified", + "category": [ + "file" + ], + "dataset": "fim.event", + "ingested": "2022-04-20T09:02:20Z", + "kind": "event", + "module": "file_integrity", + "type": [ + "change" + ] + }, + "file": { + "ctime": "2022-04-20T09:02:19.361Z", + "gid": "0", + "group": "root", + "hash": { + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709" + }, + "inode": "56198717", + "mode": "0644", + "mtime": "2022-04-20T09:02:19.361Z", + "owner": "root", + "path": "/tmp/service_logs/done", + "size": 0, + "type": "file", + "uid": "0" + }, + "host": { + "name": "docker-fleet-agent" + }, + "service": { + "type": "file_integrity" + }, + "tags": [ + "fim-event" + ] +} \ No newline at end of file diff --git a/packages/fim/1.0.0/docs/README.md b/packages/fim/1.0.0/docs/README.md new file mode 100755 index 0000000000..085ddf82b7 --- /dev/null +++ b/packages/fim/1.0.0/docs/README.md @@ -0,0 +1,207 @@ +# File Integrity Monitoring Integration + +This integration sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes. + +The integration is implemented for Linux, macOS (Darwin), and Windows. + + +| ⚠️ This integration should not be used to monitor paths on network file systems. | +| ---- | + +## How it works + +This integration uses features of the operating system to monitor file changes in realtime. When the integration starts it creates a subscription with the OS to receive notifications of changes to the specified files or directories. Upon receiving notification of a change the integration will read the file’s metadata and then compute a hash of the file’s contents. + +At startup this integration will perform an initial scan of the configured files and directories to generate baseline data for the monitored paths and detect changes since the last time it was run. It uses locally persisted data in order to only send events for new or modified files. + +## Compatibility + +The operating system features that power this feature are as follows: +- **Linux** - inotify is used, and therefore the kernel must have inotify support. Inotify was initially merged into the 2.6.13 Linux kernel. +- **macOS (Darwin)** - Uses the FSEvents API, present since macOS 10.5. This API coalesces multiple changes to a file into a single event. Auditbeat translates this coalesced changes into a meaningful sequence of actions. However, in rare situations the reported events may have a different ordering than what actually happened. +- **Windows** - ReadDirectoryChangesW is used. + +An example event for `event` looks as following: + +```json +{ + "@timestamp": "2022-04-20T09:02:19.365Z", + "agent": { + "ephemeral_id": "5c919e9b-3b1f-4426-b93f-f5705bac73f9", + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "name": "docker-fleet-agent", + "type": "auditbeat", + "version": "8.3.0" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "snapshot": true, + "version": "8.3.0" + }, + "data_stream": { + "dataset": "fim.event", + "namespace": "ep", + "type": "logs" + }, + "event": { + "action": [ + "attributes_modified" + ], + "agent_id_status": "verified", + "category": [ + "file" + ], + "dataset": "fim.event", + "ingested": "2022-04-20T09:02:20Z", + "kind": "event", + "module": "file_integrity", + "type": [ + "change" + ] + }, + "file": { + "ctime": "2022-04-20T09:02:19.361Z", + "gid": "0", + "group": "root", + "hash": { + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709" + }, + "inode": "56198717", + "mode": "0644", + "mtime": "2022-04-20T09:02:19.361Z", + "owner": "root", + "path": "/tmp/service_logs/done", + "size": 0, + "type": "file", + "uid": "0" + }, + "host": { + "name": "docker-fleet-agent" + }, + "service": { + "type": "file_integrity" + }, + "tags": [ + "fim-event" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.origin | An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available. | keyword | +| file.origin.text | Multi-field of `file.origin`. | text | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.setgid | Set if the file has the `setgid` bit set. Omitted otherwise. | boolean | +| file.setuid | Set if the file has the `setuid` bit set. Omitted otherwise. | boolean | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + diff --git a/packages/fim/1.0.0/img/sample-logo.svg b/packages/fim/1.0.0/img/sample-logo.svg new file mode 100755 index 0000000000..6268dd88f3 --- /dev/null +++ b/packages/fim/1.0.0/img/sample-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/fim/1.0.0/manifest.yml b/packages/fim/1.0.0/manifest.yml new file mode 100755 index 0000000000..c3e5b35b58 --- /dev/null +++ b/packages/fim/1.0.0/manifest.yml @@ -0,0 +1,132 @@ +format_version: 1.0.0 +name: fim +title: "File Integrity Monitoring" +version: 1.0.0 +license: basic +release: ga +description: "The File Integrity Monitoring integration reports filesystem changes in real time." +type: integration +categories: + - monitoring + - os_system + - security +conditions: + kibana.version: "^8.2.0" +icons: + - src: /img/sample-logo.svg + title: Sample logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: fim + title: File Integrity Monitoring + description: Collect filesystem events + inputs: + - type: audit/file_integrity + title: Collect filesystem events + description: Collecting filesystem events +vars: + - name: paths + type: text + title: Paths to monitor + description: Accepts wildcards + multi: true + show_user: true + required: true + default: + - /bin + - /usr/bin + - /sbin + - /usr/sbin + - /etc + - /usr/share + - name: recursive + type: bool + title: Recursive monitoring + description: Detect changes to files in subdirectories. + default: false + show_user: true + required: false + - name: scan_at_start + type: bool + title: Scan at start + description: | + Scan over the configured file paths at startup and send events for new or + modified files since the last time the agent was running. + show_user: true + required: false + default: true + - name: hash_types + type: text + title: Hash algorithms + description: | + Hash types to compute when the file changes. Supported types are: + `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`, `sha1`, `sha224`, `sha256`, `sha384`, + `sha512`, `sha512_224`, `sha512_256`, `sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. + multi: true + show_user: true + required: false + default: + - sha1 + - name: max_file_size + type: text + title: File size limit + description: Limit on the size of files that will be hashed. + show_user: false + required: false + default: 100 MiB + - name: scan_rate_per_sec + type: text + title: Scan rate + description: | + Average scan rate. This throttles the amount of CPU and I/O that will + be consumed at startup while scanning. + show_user: false + required: false + default: 50 MiB + - name: include_files + type: text + title: Include files + description: List of regular expressions used to explicitly include files. + multi: true + required: false + show_user: false + - name: exclude_files + type: text + title: Exclude files + description: | + List of regular expressions used to explicitly include files. When configured, + files will be ignored unless they match one of the patterns. + multi: true + show_user: false + required: false + default: + - '(?i)\.sw[nop]$' + - '~$' + - '/\.git($|/)' + - name: keep_null + type: bool + title: Keep null fields + description: Set to true to publish fields with null values + show_user: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + default: + - fim-event + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: | + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. +owner: + github: elastic/security-external-integrations diff --git a/packages/fireeye/1.3.1/changelog.yml b/packages/fireeye/1.3.1/changelog.yml new file mode 100755 index 0000000000..3e1575fc75 --- /dev/null +++ b/packages/fireeye/1.3.1/changelog.yml @@ -0,0 +1,55 @@ +- version: "1.3.1" + changes: + - description: Move invalid field value in sample event file + type: bugfix + link: https://github.com/elastic/integrations/pull/3331 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.2.4" + changes: + - description: Move invalid field values + type: bugfix + link: https://github.com/elastic/integrations/pull/3099 +- version: "1.2.3" + changes: + - description: Fix typo in config template for ignoring host enrichment + type: bugfix + link: https://github.com/elastic/integrations/pull/3092 +- version: "1.2.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.1" + changes: + - description: Fix field mappings for `dns.id` and `network.iana_number` + type: enhancement + link: https://github.com/elastic/integrations/pull/2892 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2404 +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2225 +- version: "1.0.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1887 diff --git a/packages/fireeye/1.3.1/data_stream/nx/agent/stream/stream.yml.hbs b/packages/fireeye/1.3.1/data_stream/nx/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..2926520e1b --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/agent/stream/stream.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} +- {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.3.1/data_stream/nx/agent/stream/tcp.yml.hbs b/packages/fireeye/1.3.1/data_stream/nx/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..4cd8124d92 --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +fields_under_root: true +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.3.1/data_stream/nx/agent/stream/udp.yml.hbs b/packages/fireeye/1.3.1/data_stream/nx/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..405544b01a --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/agent/stream/udp.yml.hbs @@ -0,0 +1,19 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +fields_under_root: true +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.3.1/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/1.3.1/data_stream/nx/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..208d849700 --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,176 @@ +--- +description: Pipeline for processing FireEye NX logs +processors: + - set: + field: ecs.version + value: "8.2.0" + - set: + field: observer.vendor + value: "Fireeye" + - set: + field: observer.product + value: "NX" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - json: + field: json.rawmsg + target_field: rawmsg + ignore_failure: true + # rename raw fields + - pipeline: + name: '{{ IngestPipeline "renaming-raws" }}' + - date: + field: temp_ts + formats: + - strict_date_optional_time_nanos + - remove: + field: temp_ts + - geoip: + field: destination.address + target_field: destination.geo + ignore_missing: true + - geoip: + field: source.address + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.address + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.address + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - user_agent: + field: user_agent.original + ignore_missing: true + + - append: + field: event.category + value: network + if: "['dns', 'flow', 'tls'].contains(ctx?.event?.type)" + - append: + field: event.category + value: [web, network] + if: ctx?.event?.type == 'http' + - append: + field: event.category + value: [file, network] + if: ctx?.event?.type == 'fileinfo' + - set: + field: event.type + value: [info] + + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_missing: true + - lowercase: + field: "network.protocol" + ignore_missing: true + - lowercase: + field: "network.direction" + ignore_missing: true + - lowercase: + field: "network.type" + ignore_missing: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: '1' + igmp: '2' + ipv4: '4' + tcp: '6' + egp: '8' + igp: '9' + pup: '12' + udp: '17' + rdp: '27' + irtp: '28' + dccp: '33' + idpr: '35' + ipv6: '41' + ipv6-route: '43' + ipv6-frag: '44' + rsvp: '46' + gre: '47' + esp: '50' + ipv6-icmp: '58' + ipv6-nonxt: '59' + ipv6-opts: '60' + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + - community_id: + target_field: network.community_id + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx.destination?.ip != null + - remove: + field: + - rawmsg + - json + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.3.1/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml b/packages/fireeye/1.3.1/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml new file mode 100755 index 0000000000..6009b81d76 --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml @@ -0,0 +1,464 @@ +--- +description: Pipeline for renaming raw fields from incoming event original. +processors: + - rename: + field: rawmsg.timestamp + target_field: temp_ts + ignore_missing: true + - rename: + field: rawmsg.proto + target_field: network.transport + ignore_missing: true + - rename: + field: rawmsg.app_proto + target_field: network.protocol + ignore_missing: true + - rename: + field: rawmsg.flow_id + target_field: fireeye.nx.flow_id + ignore_missing: true + - rename: + field: rawmsg.event_type + target_field: event.type + ignore_missing: true + - rename: + field: rawmsg.src_ip + target_field: source.address + ignore_missing: true + - set: + field: source.ip + copy_from: source.address + ignore_empty_value: true + - rename: + field: rawmsg.src_port + target_field: source.port + ignore_missing: true + - rename: + field: rawmsg.dest_ip + target_field: destination.address + ignore_missing: true + - set: + field: destination.ip + copy_from: destination.address + ignore_empty_value: true + - rename: + field: rawmsg.dest_port + target_field: destination.port + ignore_missing: true + - rename: + field: meta_sip4 + target_field: fireeye.nx.device_ip + ignore_missing: true + - rename: + field: meta_oml + target_field: fireeye.nx.device_oml + ignore_missing: true + - rename: + field: deviceid + target_field: fireeye.nx.deviceid + ignore_missing: true + - rename: + field: meta_cbname + target_field: fireeye.nx.hostname + ignore_missing: true + # flow event type fields + - rename: + field: rawmsg.proto_number + target_field: network.iana_number + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.pkts_toserver + target_field: source.packets + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.pkts_toclient + target_field: destination.packets + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.bytes_toserver + target_field: source.bytes + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.bytes_toclient + target_field: destination.bytes + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.start + target_field: fireeye.nx.flow.starttime + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.end + target_field: fireeye.nx.flow.endtime + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.age + target_field: fireeye.nx.flow.age + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.state + target_field: fireeye.nx.flow.state + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.reason + target_field: fireeye.nx.flow.reason + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.alerted + target_field: fireeye.nx.flow.alerted + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.tcp + target_field: fireeye.nx.tcp + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.icmp_code + target_field: fireeye.nx.flow.icmp_code + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.icmp_type + target_field: fireeye.nx.flow.icmp_type + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.response_icmp_code + target_field: fireeye.nx.flow.response_icmp_code + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.response_icmp_type + target_field: fireeye.nx.flow.response_icmp_type + if: ctx?.event?.type == 'flow' + ignore_missing: true + # fileinfo event type fields + - rename: + field: rawmsg.fileinfo.filename + target_field: fireeye.nx.fileinfo.filename + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.magic + target_field: fireeye.nx.fileinfo.magic + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.md5 + target_field: fireeye.nx.fileinfo.md5 + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.size + target_field: fireeye.nx.fileinfo.size + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.state + target_field: fireeye.nx.fileinfo.state + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.stored + target_field: fireeye.nx.fileinfo.stored + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.hostname + target_field: url.domain + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_content_type + target_field: http.request.mime_type + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_method + target_field: http.request.method + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_refer + target_field: http.request.referrer + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_user_agent + target_field: user_agent.original + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.length + target_field: http.response.bytes + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.protocol + target_field: http.version + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.status + target_field: http.response.status_code + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.url + target_field: url.path + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + # http event type fields + - rename: + field: rawmsg.http.hostname + target_field: url.domain + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_content_type + target_field: http.request.mime_type + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_method + target_field: http.request.method + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_refer + target_field: http.request.referrer + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_user_agent + target_field: user_agent.original + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.length + target_field: http.response.bytes + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.protocol + target_field: http.version + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.status + target_field: http.response.status_code + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.url + target_field: url.path + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'http' + ignore_missing: true + # http event type fields + - rename: + field: rawmsg.http.hostname + target_field: url.domain + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_content_type + target_field: http.request.mime_type + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_method + target_field: http.request.method + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_refer + target_field: http.request.referrer + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_user_agent + target_field: user_agent.original + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.length + target_field: http.response.bytes + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.protocol + target_field: http.version + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.status + target_field: http.response.status_code + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.url + target_field: url.path + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'http' + ignore_missing: true + # dns event type fields + - convert: + field: rawmsg.dns.id + target_field: dns.id + type: string + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rcode + target_field: dns.response_code + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rdata + target_field: dns.resolved_data + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rrname + target_field: dns.question.name + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rrtype + target_field: dns.question.type + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.ttl + target_field: dns.answers.ttl + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.type + target_field: dns.type + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'dns' + ignore_missing: true + # tls event type fields + - rename: + field: rawmsg.tls.client_ciphersuites + target_field: tls.client.ciphersuites + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.client_tls_exts + target_field: tls.client.tls_exts + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.fingerprint + target_field: tls.client.fingerprint + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.issuerdn + target_field: tls.client.issuer + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3.hash + target_field: tls.client.ja3 + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3.string + target_field: tls.client.ja3_string + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3s.hash + target_field: tls.server.ja3s + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3s.string + target_field: tls.server.ja3s_string + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.notbefore + target_field: tls.client.not_before + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.notafter + target_field: tls.client.not_after + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.pubkeylength + target_field: tls.public_keylength + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.server_ciphersuite + target_field: tls.server.ciphersuite + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.server_tls_exts + target_field: tls.server.tls_exts + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.sni + target_field: tls.client.server_name + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.subject + target_field: tls.client.subject + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.version + target_field: tls.version + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.fatal_alert + target_field: fireeye.nx.tls.fetal_alert + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'tls' + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.3.1/data_stream/nx/fields/agent.yml b/packages/fireeye/1.3.1/data_stream/nx/fields/agent.yml new file mode 100755 index 0000000000..a371c03d96 --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/fireeye/1.3.1/data_stream/nx/fields/base-fields.yml b/packages/fireeye/1.3.1/data_stream/nx/fields/base-fields.yml new file mode 100755 index 0000000000..cdff14cc88 --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: fireeye +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fireeye.nx diff --git a/packages/fireeye/1.3.1/data_stream/nx/fields/ecs.yml b/packages/fireeye/1.3.1/data_stream/nx/fields/ecs.yml new file mode 100755 index 0000000000..3b2c5745b9 --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/fields/ecs.yml @@ -0,0 +1,299 @@ +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: |- + Mime type of the body of the request. + This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + name: http.request.mime_type + type: keyword +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Port of the source. + name: source.port + type: long +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Port of the destination. + name: destination.port + type: long +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Interface name as reported by the system. + name: interface.name + type: keyword +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + name: tls.client.issuer + type: keyword +- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + name: tls.client.ja3 + type: keyword +- description: Date/Time indicating when client certificate is first considered valid. + name: tls.client.not_before + type: date +- description: Date/Time indicating when client certificate is no longer considered valid. + name: tls.client.not_after + type: date +- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + name: tls.client.server_name + type: keyword +- description: Distinguished name of subject of the x.509 certificate presented by the client. + name: tls.client.subject + type: keyword +- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + name: tls.server.ja3s + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword diff --git a/packages/fireeye/1.3.1/data_stream/nx/fields/fields.yml b/packages/fireeye/1.3.1/data_stream/nx/fields/fields.yml new file mode 100755 index 0000000000..8a25bb461f --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/fields/fields.yml @@ -0,0 +1,108 @@ +- name: fireeye.nx + type: group + fields: + - name: flow_id + type: long + description: Flow ID of the event. + - name: flow + type: group + fields: + - name: age + type: long + description: Flow age. + - name: alerted + type: boolean + description: Flow alerted or not. + - name: endtime + type: date + description: Flow endtime. + - name: reason + type: keyword + description: Flow reason. + - name: starttime + type: date + description: Flow start time. + - name: state + type: keyword + description: Flow state. + - name: tcp + type: group + fields: + - name: ack + type: boolean + description: TCP acknowledgement. + - name: psh + type: boolean + description: TCP PSH. + - name: state + type: keyword + description: TCP connectin state. + - name: syn + type: boolean + description: TCP SYN. + - name: tcp_flags + type: keyword + description: TCP flags. + - name: tcp_flags_tc + type: keyword + description: TCP flags. + - name: tcp_flags_ts + type: keyword + description: TCP flags. + - name: fileinfo + type: group + fields: + - name: filename + type: keyword + description: File name. + - name: magic + type: keyword + description: Fileinfo magic. + - name: md5 + type: keyword + description: File hash. + - name: size + type: long + description: File size. + - name: state + type: keyword + description: File state. + - name: stored + type: boolean + description: File stored or not. +- name: tls + type: group + fields: + - name: client + type: group + fields: + - name: ciphersuites + type: array + description: TLS cipher suites by client. + - name: fingerprint + type: keyword + description: TLS fingerprint. + - name: ja3_string + type: keyword + description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + - name: tls_exts + type: array + description: TLS extensions set by client. + - name: server + type: group + fields: + - name: ciphersuite + type: array + description: TLS cipher suites by server. + - name: ja3s_string + type: keyword + description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + - name: tls_exts + type: array + description: TLS extensions set by server. + - name: public_keylength + type: long + description: TLS public key length. +- name: log.source.address + type: keyword + description: Logs Source Raw address. diff --git a/packages/fireeye/1.3.1/data_stream/nx/manifest.yml b/packages/fireeye/1.3.1/data_stream/nx/manifest.yml new file mode 100755 index 0000000000..c52d2799be --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/manifest.yml @@ -0,0 +1,149 @@ +title: Fireeye NX +type: logs +streams: + - input: logfile + template_path: stream.yml.hbs + title: Fireeye NX logs + description: Collect fireye nx logs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/fireeye-nx* + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fireeye-nx + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + multi: false + required: false + show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: udp + title: Fireeye NX logs + description: Collect Fireeye NX logs using udp input + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fireeye-nx + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9523 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + multi: false + required: false + show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Fireeye NX logs + description: Collect Fireeye NX logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fireeye-nx + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9523 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + multi: false + required: false + show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/fireeye/1.3.1/data_stream/nx/sample_event.json b/packages/fireeye/1.3.1/data_stream/nx/sample_event.json new file mode 100755 index 0000000000..272ffcf621 --- /dev/null +++ b/packages/fireeye/1.3.1/data_stream/nx/sample_event.json @@ -0,0 +1,112 @@ +{ + "@timestamp": "2020-09-22T08:34:44.991Z", + "agent": { + "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "fireeye.nx", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "ff02:0000:0000:0000:0000:0000:0000:0001", + "bytes": 0, + "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", + "packets": 0, + "port": 10001 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "fireeye.nx", + "ingested": "2022-05-12T06:20:01Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "fireeye": { + "nx": { + "flow": { + "age": 0, + "alerted": false, + "endtime": "2020-09-22T08:34:12.761348+0000", + "reason": "timeout", + "starttime": "2020-09-22T08:34:12.761326+0000", + "state": "new" + }, + "flow_id": 721570461162990 + } + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.16.7" + ], + "mac": [ + "02:42:c0:a8:10:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/fireeye-nx.log" + }, + "offset": 0 + }, + "network": { + "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" + ] + }, + "source": { + "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "bytes": 1680, + "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "packets": 8, + "port": 45944 + }, + "tags": [ + "fireeye-nx" + ] +} \ No newline at end of file diff --git a/packages/fireeye/1.3.1/docs/README.md b/packages/fireeye/1.3.1/docs/README.md new file mode 100755 index 0000000000..31bbc638b5 --- /dev/null +++ b/packages/fireeye/1.3.1/docs/README.md @@ -0,0 +1,286 @@ +# FireEye Integration + +This integration periodically fetches logs from [FireEye Network Security](https://www.fireeye.com/products/network-security.html) devices. + +## Compatibility + +The FireEye `nx` integration has been developed against FireEye Network Security 9.0.0.916432 but is expected to work with other versions. + +## Logs + +### NX + +The `nx` integration ingests network security logs from FireEye NX through TCP/UDP and file. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| fireeye.nx.fileinfo.filename | File name. | keyword | +| fireeye.nx.fileinfo.magic | Fileinfo magic. | keyword | +| fireeye.nx.fileinfo.md5 | File hash. | keyword | +| fireeye.nx.fileinfo.size | File size. | long | +| fireeye.nx.fileinfo.state | File state. | keyword | +| fireeye.nx.fileinfo.stored | File stored or not. | boolean | +| fireeye.nx.flow.age | Flow age. | long | +| fireeye.nx.flow.alerted | Flow alerted or not. | boolean | +| fireeye.nx.flow.endtime | Flow endtime. | date | +| fireeye.nx.flow.reason | Flow reason. | keyword | +| fireeye.nx.flow.starttime | Flow start time. | date | +| fireeye.nx.flow.state | Flow state. | keyword | +| fireeye.nx.flow_id | Flow ID of the event. | long | +| fireeye.nx.tcp.ack | TCP acknowledgement. | boolean | +| fireeye.nx.tcp.psh | TCP PSH. | boolean | +| fireeye.nx.tcp.state | TCP connectin state. | keyword | +| fireeye.nx.tcp.syn | TCP SYN. | boolean | +| fireeye.nx.tcp.tcp_flags | TCP flags. | keyword | +| fireeye.nx.tcp.tcp_flags_tc | TCP flags. | keyword | +| fireeye.nx.tcp.tcp_flags_ts | TCP flags. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type | keyword | +| interface.name | Interface name as reported by the system. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| log.source.address | Logs Source Raw address. | keyword | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| tls.client.ciphersuites | TLS cipher suites by client. | array | +| tls.client.fingerprint | TLS fingerprint. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.ja3_string | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | +| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | +| tls.client.tls_exts | TLS extensions set by client. | array | +| tls.public_keylength | TLS public key length. | long | +| tls.server.ciphersuite | TLS cipher suites by server. | array | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.ja3s_string | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.tls_exts | TLS extensions set by server. | array | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `nx` looks as following: + +```json +{ + "@timestamp": "2020-09-22T08:34:44.991Z", + "agent": { + "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "fireeye.nx", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "ff02:0000:0000:0000:0000:0000:0000:0001", + "bytes": 0, + "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", + "packets": 0, + "port": 10001 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "fireeye.nx", + "ingested": "2022-05-12T06:20:01Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "fireeye": { + "nx": { + "flow": { + "age": 0, + "alerted": false, + "endtime": "2020-09-22T08:34:12.761348+0000", + "reason": "timeout", + "starttime": "2020-09-22T08:34:12.761326+0000", + "state": "new" + }, + "flow_id": 721570461162990 + } + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.16.7" + ], + "mac": [ + "02:42:c0:a8:10:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/fireeye-nx.log" + }, + "offset": 0 + }, + "network": { + "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" + ] + }, + "source": { + "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "bytes": 1680, + "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "packets": 8, + "port": 45944 + }, + "tags": [ + "fireeye-nx" + ] +} +``` \ No newline at end of file diff --git a/packages/fireeye/1.3.1/img/FireEye-logo.svg b/packages/fireeye/1.3.1/img/FireEye-logo.svg new file mode 100755 index 0000000000..50906981f0 --- /dev/null +++ b/packages/fireeye/1.3.1/img/FireEye-logo.svg @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/fireeye/1.3.1/manifest.yml b/packages/fireeye/1.3.1/manifest.yml new file mode 100755 index 0000000000..e8c250355f --- /dev/null +++ b/packages/fireeye/1.3.1/manifest.yml @@ -0,0 +1,35 @@ +format_version: 1.0.0 +name: fireeye +title: "Fireeye" +version: 1.3.1 +license: basic +description: "This Elastic integration collects Fireeye NX logs." +type: integration +categories: + - monitoring + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/FireEye-logo.svg + title: Fireeye logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: fireeye + title: Fireeye NX logs + description: Collect Fireeye NX logs + inputs: + - type: logfile + title: Collect Fireeye NX logs from instances + description: Collecting Fireeye NX logs + - type: udp + title: Collect logs from Fireeye NXtwork Security via UDP + description: Collecting Fireeye NX logs via UDP + - type: tcp + title: Collect logs from Fireeye NXtwork Security via TCP + description: Collecting Fireeye NX logs via TCP +owner: + github: elastic/security-external-integrations diff --git a/packages/fortinet/1.6.1/changelog.yml b/packages/fortinet/1.6.1/changelog.yml new file mode 100755 index 0000000000..927672491e --- /dev/null +++ b/packages/fortinet/1.6.1/changelog.yml @@ -0,0 +1,139 @@ +# newer versions go on top +- version: "1.6.1" + changes: + - description: Format source.mac and destination.mac as per ECS for the Fortimanager data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/3401 +- version: "1.6.0" + changes: + - description: Add TLS and custom options to TCP input. + type: enhancement + link: https://github.com/elastic/integrations/pull/3319 +- version: "1.5.0" + changes: + - description: Update to ECS 8.2.0 to use new email field set. + type: enhancement + link: https://github.com/elastic/integrations/pull/2800 +- version: "1.4.3" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.4.2" + changes: + - description: Clarify description for listen address and port. + type: bugfix + link: https://github.com/elastic/integrations/pull/2685 +- version: "1.4.1" + changes: + - description: Add Ingest Pipeline script to map IANA Protocol Numbers + type: bugfix + link: https://github.com/elastic/integrations/pull/2470 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2585 +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2277 +- version: "1.2.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2107 +- version: "1.2.3" + changes: + - description: Update title and description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 +- version: "1.2.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1817 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1660 +- version: "1.1.5" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "1.1.4" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1477 +- version: '1.1.3' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1384 +- version: "1.1.2" + changes: + - description: Remove `experimental` label from manifest + type: bugfix + link: https://github.com/elastic/integrations/pull/1433 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1223 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1223 +- version: "0.9.1" + changes: + - description: use `wildcard` field type for the relevant ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1183 +- version: "0.9.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1092 +- version: "0.8.2" + changes: + - description: make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/1075 +- version: "0.8.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/845 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/228 diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/log.yml.hbs b/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..4e1e97257d --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/log.yml.hbs @@ -0,0 +1,2774 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiClient" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg1 = msg("enter", part1); + + var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg2 = msg("repeated", part2); + + var msg3 = msg("ms-wbt-server", dup9); + + var msg4 = msg("http", dup9); + + var msg5 = msg("https", dup9); + + var msg6 = msg("smtp", dup9); + + var msg7 = msg("pop3", dup9); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), + ]); + + var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..cca5a4017d --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/tcp.yml.hbs @@ -0,0 +1,2771 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiClient" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg1 = msg("enter", part1); + + var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg2 = msg("repeated", part2); + + var msg3 = msg("ms-wbt-server", dup9); + + var msg4 = msg("http", dup9); + + var msg5 = msg("https", dup9); + + var msg6 = msg("smtp", dup9); + + var msg7 = msg("pop3", dup9); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), + ]); + + var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..59e1db4ecd --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/agent/stream/udp.yml.hbs @@ -0,0 +1,2771 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiClient" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg1 = msg("enter", part1); + + var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg2 = msg("repeated", part2); + + var msg3 = msg("ms-wbt-server", dup9); + + var msg4 = msg("http", dup9); + + var msg5 = msg("https", dup9); + + var msg6 = msg("smtp", dup9); + + var msg7 = msg("pop3", dup9); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), + ]); + + var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.1/data_stream/clientendpoint/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..cf996f9818 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for Fortinet FortiClient Endpoint Security + +processors: + - set: + field: ecs.version + value: '8.2.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/agent.yml b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/base-fields.yml b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/base-fields.yml new file mode 100755 index 0000000000..82f0133692 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: fortinet +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fortinet.clientendpoint +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/ecs.yml b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/fields.yml b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/manifest.yml b/packages/fortinet/1.6.1/data_stream/clientendpoint/manifest.yml new file mode 100755 index 0000000000..ab7a3686d6 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/manifest.yml @@ -0,0 +1,212 @@ +title: Fortinet FortiClient Endpoint Security logs +release: experimental +type: logs +streams: + - input: udp + enabled: true + title: Fortinet FortiClient Endpoint Security logs + description: Collect Fortinet FortiClient Endpoint Security logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-clientendpoint + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9509 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + enabled: false + title: Fortinet FortiClient Endpoint Security logs + description: Collect Fortinet FortiClient Endpoint Security logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-clientendpoint + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9509 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Fortinet FortiClient Endpoint Security logs + template_path: log.yml.hbs + description: Collect Fortinet FortiClient Endpoint Security logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: false + default: + - /var/log/fortinet-clientendpoint.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-clientendpoint + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/fortinet/1.6.1/data_stream/clientendpoint/sample_event.json b/packages/fortinet/1.6.1/data_stream/clientendpoint/sample_event.json new file mode 100755 index 0000000000..f10a0048c6 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/clientendpoint/sample_event.json @@ -0,0 +1,125 @@ +{ + "@timestamp": "2021-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet.clientendpoint", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": [ + "10.102.123.34" + ], + "port": 3994 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "code": "http", + "dataset": "fortinet.clientendpoint", + "ingested": "2022-01-25T12:25:45Z", + "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", + "outcome": "failure", + "timezone": "+00:00" + }, + "host": { + "name": "boNemoe4402.www.invalid" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:54478" + } + }, + "network": { + "direction": "external", + "protocol": "udp" + }, + "observer": { + "product": "FortiClient", + "type": "Anti-Virus", + "vendor": "Fortinet" + }, + "process": { + "pid": 7880 + }, + "related": { + "hosts": [ + "litesse6379.api.domain", + "boNemoe4402.www.invalid" + ], + "ip": [ + "10.150.92.220", + "10.102.123.34" + ], + "user": [ + "sumdo" + ] + }, + "rsa": { + "counters": { + "dclass_c1": 5286, + "dclass_c1_str": "block_count" + }, + "internal": { + "messageid": "http" + }, + "investigations": { + "ec_outcome": "Failure", + "ec_subject": "NetworkComm", + "ec_theme": "ALM" + }, + "misc": { + "action": [ + "deny" + ], + "result": "failure\n" + }, + "network": { + "alias_host": [ + "boNemoe4402.www.invalid" + ], + "domain": "litesse6379.api.domain", + "network_service": "http" + }, + "time": { + "event_time": "2021-01-29T06:09:59.000Z" + } + }, + "server": { + "domain": "litesse6379.api.domain", + "registered_domain": "api.domain", + "subdomain": "litesse6379", + "top_level_domain": "domain" + }, + "source": { + "ip": [ + "10.150.92.220" + ], + "port": 7178 + }, + "tags": [ + "preserve_original_event", + "fortinet-clientendpoint", + "forwarded" + ], + "user": { + "name": "sumdo" + } +} \ No newline at end of file diff --git a/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/log.yml.hbs b/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..225500de9f --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/log.yml.hbs @@ -0,0 +1,47 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if internal_interfaces.length}} +processors: +{{else}} +{{#if external_interfaces.length}} +processors: +{{else}} +{{#if processors}} +processors: +{{/if}} +{{/if}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_interfaces.length}} + - add_fields: + target: _temp + fields: + internal_interfaces: + {{#each internal_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if external_interfaces.length}} + - add_fields: + target: _temp + fields: + external_interfaces: + {{#each external_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} diff --git a/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..6ca58d4fa8 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -0,0 +1,49 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if internal_interfaces.length}} +processors: +{{else}} +{{#if external_interfaces.length}} +processors: +{{else}} +{{#if processors}} +processors: +{{/if}} +{{/if}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_interfaces.length}} + - add_fields: + target: _temp + fields: + internal_interfaces: + {{#each internal_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if external_interfaces.length}} + - add_fields: + target: _temp + fields: + external_interfaces: + {{#each external_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..852d6d18f0 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/agent/stream/udp.yml.hbs @@ -0,0 +1,43 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if internal_interfaces.length}} +processors: +{{else}} +{{#if external_interfaces.length}} +processors: +{{else}} +{{#if processors}} +processors: +{{/if}} +{{/if}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_interfaces.length}} + - add_fields: + target: _temp + fields: + internal_interfaces: + {{#each internal_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if external_interfaces.length}} + - add_fields: + target: _temp + fields: + external_interfaces: + {{#each external_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} diff --git a/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..30892ee32f --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,431 @@ +--- +description: Pipeline for parsing fortinet firewall logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + - grok: + field: event.original + patterns: + - "%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$" + - kv: + field: syslog5424_sd + field_split: " (?=[a-z\\_\\-]+=)" + value_split: "=" + prefix: "fortinet.firewall." + ignore_missing: true + ignore_failure: false + trim_value: '"' + - script: + lang: painless + source: | + def fw = ctx?.fortinet?.firewall; + if (fw != null) { + fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); + } + - set: + field: observer.vendor + value: Fortinet + - set: + field: observer.product + value: Fortigate + - set: + field: observer.type + value: firewall + - set: + field: event.timezone + value: "{{fortinet.firewall.tz}}" + ignore_empty_value: true + - set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" + - set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}" + if: "ctx.fortinet?.firewall?.tz == null" + - date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" + - date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + if: "ctx.fortinet?.firewall?.tz == null" + - gsub: + field: fortinet.firewall.eventtime + pattern: "\\d{6}$" + replacement: "" + if: "ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 18" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX_MS + timezone: "{{fortinet.firewall.tz}}" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + timezone: "{{fortinet.firewall.tz}}" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX_MS + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + - rename: + field: fortinet.firewall.devname + target_field: observer.name + ignore_missing: true + - script: + lang: painless + source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" + if: "ctx.fortinet?.firewall?.duration != null" + - rename: + field: fortinet.firewall.devid + target_field: observer.serial_number + ignore_missing: true + - rename: + field: fortinet.firewall.dstintf + target_field: observer.egress.interface.name + ignore_missing: true + if: "ctx.observer?.egress?.interface?.name == null" + - rename: + field: fortinet.firewall.srcintf + target_field: observer.ingress.interface.name + ignore_missing: true + if: "ctx.observer?.ingress?.interface?.name == null" + - rename: + field: fortinet.firewall.dst_int + target_field: observer.egress.interface.name + ignore_missing: true + - rename: + field: fortinet.firewall.src_int + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true + - append: + field: email.cc.address + value: "{{{fortinet.firewall.cc}}}" + if: "ctx?.fortinet?.cc?.address != null" + - set: + field: email.subject + copy_from: fortinet.firewall.subject + if: "ctx?.fortinet?.firewall?.subject != null" + + # Handle interface-based network directionality + - set: + field: network.direction + value: inbound + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && + ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && + ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) + - set: + field: network.direction + value: internal + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) && + ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) + - set: + field: network.direction + value: external + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && + ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.egress?.interface?.name != null && + ctx?.observer?.ingress?.interface?.name != null && + ( + ( + !ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && + !ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) + ) || + ( + !ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && + !ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) + ) + ) + - remove: + field: + - _temp.time + - _temp + - syslog5424_sd + - syslog5424_pri + - fortinet.firewall.tz + - fortinet.firewall.date + - fortinet.firewall.devid + - fortinet.firewall.eventtime + - fortinet.firewall.time + - fortinet.firewall.duration + - host + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "event" }}' + if: "ctx.fortinet?.firewall?.type == 'event'" + - pipeline: + name: '{{ IngestPipeline "traffic" }}' + if: "ctx.fortinet?.firewall?.type == 'traffic'" + - pipeline: + name: '{{ IngestPipeline "utm" }}' + if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" + - convert: + field: fortinet.firewall.quotamax + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.quotaused + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.size + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.disklograte + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.fazlograte + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.lanin + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.lanout + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.setuprate + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.wanin + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.wanout + type: long + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" + - geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true + - script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + allow_duplicates: false + - append: + field: related.user + value: "{{destination.user.name}}" + if: "ctx.destination?.user?.name != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.address}}" + if: "ctx.destination?.address != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.address}}" + if: "ctx.source?.address != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{dns.question.name}}" + if: "ctx.dns?.question?.name != null" + allow_duplicates: false + - script: + lang: painless + source: | + def dnsIPs = ctx?.dns?.resolved_ip; + if (dnsIPs != null && dnsIPs instanceof List) { + if (ctx?.related?.ip == null) { + ctx.related.ip = []; + } + for (ip in dnsIPs) { + if (!ctx.related.ip.contains(ip)) { + ctx.related.ip.add(ip); + } + } + } + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml new file mode 100755 index 0000000000..19f29c3b99 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml @@ -0,0 +1,267 @@ +--- +description: Pipeline for parsing fortinet firewall logs (event pipeline) +processors: + - set: + field: event.kind + value: event + - set: + field: event.outcome + value: failure + if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" + - set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: + - user + - start + if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: + - user + - end + if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: connection + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" + - append: + field: event.category + value: network + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" + - append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" + - append: + field: event.category + value: host + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" + - append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'update'" + - append: + field: event.category + value: + - host + - malware + if: "ctx.fortinet?.firewall?.subtype == 'update'" + - append: + field: event.category + value: authentication + if: "ctx.fortinet?.firewall?.subtype == 'user'" + - rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true + - rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" + - convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.remport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" + - convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.daddr + target_field: destination.address + ignore_missing: true + - rename: + field: fortinet.firewall.dst_host + target_field: destination.address + ignore_missing: true + if: "ctx.destination?.address == null" + - rename: + field: fortinet.firewall.dst_host + target_field: destination.domain + ignore_missing: true + if: "ctx.destination?.address == null" + - rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true + - convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true + - rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" + - rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true + - rename: + field: fortinet.firewall.source_mac + target_field: source.mac + ignore_missing: true + if: "ctx.source?.mac == null" + - convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.locport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" + - rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + - rename: + field: fortinet.firewall.saddr + target_field: source.address + ignore_missing: true + - rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true + - rename: + field: fortinet.firewall.file + target_field: file.name + ignore_missing: true + - convert: + field: fortinet.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true + - rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + - rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true + - rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + - rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true + - rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + - rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + # Normalize the network direction + - script: + lang: painless + ignore_failure: true + params: + outgoing: outbound + incoming: inbound + source: >- + if (ctx.network?.direction == null) { + return; + } + def k = ctx.network?.direction.toLowerCase(); + def normalized = params.get(k); + if (normalized != null) { + ctx.network.direction = normalized; + return + } + ctx.network.direction = k; + - rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - rename: + field: fortinet.firewall.error_num + target_field: error.code + ignore_missing: true + - rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true + - rename: + field: fortinet.firewall.logdesc + target_field: rule.description + ignore_missing: true + - rename: + field: fortinet.firewall.addr + target_field: fortinet.firewall.addrgrp + if: ctx.rule?.description == 'Dynamic address updated' + ignore_missing: true + - rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true + - convert: + field: fortinet.firewall.sess_duration + type: long + target_field: event.duration + ignore_failure: true + ignore_missing: true + if: "ctx.event?.duration == null" + - convert: + field: fortinet.firewall.mem + type: integer + ignore_failure: true + ignore_missing: true + - remove: + field: + - fortinet.firewall.dstport + - fortinet.firewall.remport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.sentbyte + - fortinet.firewall.srcport + - fortinet.firewall.locport + - fortinet.firewall.filesize + - fortinet.firewall.sess_duration + - fortinet.firewall.dir + - fortinet.firewall.direction + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml new file mode 100755 index 0000000000..90f65f53a0 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml @@ -0,0 +1,218 @@ +--- +description: Pipeline for parsing fortinet firewall logs (traffic pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{fortinet.firewall.action}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" +- append: + field: event.category + value: network +- append: + field: event.type + value: connection +- append: + field: event.type + value: start + if: "ctx.fortinet?.firewall?.action == 'start'" +- append: + field: event.type + value: end + if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" +- append: + field: event.type + value: protocol + if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: allowed + if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: denied + if: "ctx.fortinet?.firewall?.utmaction == 'block'" +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.tranip + target_field: destination.nat.ip + ignore_missing: true +- convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.tranport + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.rcvdpkt + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true +- append: + field: email.to.address + value: "{{fortinet.firewall.dstcollectedemail}}" + if: "ctx?.fortinet?.firewall?.dstcollectedemail != null" +- rename: + field: fortinet.firewall.dstname + target_field: destination.address + ignore_missing: true +- rename: + field: fortinet.firewall.dstunauthuser + target_field: destination.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" +- append: + field: email.from.address + value: "{{fortinet.firewall.collectedemail}}" + if: "ctx?.fortinet?.firewall?.collectedemail != null" +- convert: + field: fortinet.firewall.sentpkt + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.transip + target_field: source.nat.ip + ignore_missing: true +- convert: + field: fortinet.firewall.transport + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true +- rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.comment + target_field: rule.description + ignore_missing: true +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.poluuid + target_field: rule.uuid + ignore_missing: true +- rename: + field: fortinet.firewall.policytype + target_field: rule.ruleset + ignore_missing: true +- rename: + field: fortinet.firewall.policyname + target_field: rule.name + ignore_missing: true +- rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true +- gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- remove: + field: + - fortinet.firewall.dstport + - fortinet.firewall.tranport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.rcvdpkt + - fortinet.firewall.sentbyte + - fortinet.firewall.srcport + - fortinet.firewall.sentpkt + - fortinet.firewall.transport + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/utm.yml b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/utm.yml new file mode 100755 index 0000000000..02e7f1fa83 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/elasticsearch/ingest_pipeline/utm.yml @@ -0,0 +1,380 @@ +--- +description: Pipeline for parsing fortinet firewall logs (utm pipeline) +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: denied + if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'dns'" + - append: + field: event.type + value: allowed + if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" + - set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" + - append: + field: event.category + value: network + - rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true + - rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" + - convert: + field: fortinet.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.remport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" + - convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" + - convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.recipient + target_field: email.to.address + ignore_missing: true + - append: + field: email.to.address + value: "{{fortinet.firewall.recipient}}" + if: "ctx?.fortinet?.firewall?.recipient != null" + - rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true + - rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true + - convert: + field: fortinet.firewall.locport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" + - convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" + - convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true + - rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" + - rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true + - rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true + - rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" + - append: + field: email.sender.address + value: "{{fortinet.firewall.sender}}" + if: "ctx?.fortinet?.firewall?.sender != null" + - append: + field: email.from.address + value: "{{fortinet.firewall.from}}" + if: "ctx?.fortinet?.firewall?.from != null" + - rename: + field: fortinet.firewall.from + target_field: email.from.address + ignore_missing: true + - rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true + - rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true + - rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true + - rename: + field: fortinet.firewall.applist + target_field: rule.ruleset + ignore_missing: true + - rename: + field: fortinet.firewall.catdesc + target_field: rule.category + ignore_missing: true + if: "ctx.rule?.category == null" + - gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true + if: "ctx.rule?.category != null" + - rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + - rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + # Normalize the network direction + - script: + lang: painless + ignore_failure: true + params: + outgoing: outbound + incoming: inbound + source: >- + if (ctx.network?.direction == null) { + return; + } + def k = ctx.network?.direction.toLowerCase(); + def normalized = params.get(k); + if (normalized != null) { + ctx.network.direction = normalized; + return + } + ctx.network.direction = k; + - rename: + field: fortinet.firewall.error + target_field: event.message + ignore_missing: true + - rename: + field: fortinet.firewall.errorcode + target_field: event.code + ignore_missing: true + - rename: + field: fortinet.firewall.event_id + target_field: event.id + ignore_missing: true + - rename: + field: fortinet.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.event?.id == null" + - rename: + field: fortinet.firewall.eventtype + target_field: event.action + ignore_missing: true + - rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true + - convert: + field: fortinet.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.filetype + target_field: file.extension + ignore_missing: true + - rename: + field: fortinet.firewall.infectedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" + - rename: + field: fortinet.firewall.infectedfilesize + target_field: file.size + ignore_missing: true + if: "ctx.file?.size == null" + - rename: + field: fortinet.firewall.infectedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" + - rename: + field: fortinet.firewall.matchedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" + - rename: + field: fortinet.firewall.matchedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" + - rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true + - rename: + field: fortinet.firewall.ipaddr + target_field: dns.resolved_ip + ignore_missing: true + - split: + field: dns.resolved_ip + separator: ", " + ignore_missing: true + - rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true + - rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + - rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true + - rename: + field: fortinet.firewall.policy_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + - rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + - rename: + field: fortinet.firewall.profile + target_field: rule.ruleset + ignore_missing: true + if: "ctx.rule?.ruleset == null" + - rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true + - rename: + field: fortinet.firewall.qclass + target_field: dns.question.class + ignore_missing: true + - rename: + field: fortinet.firewall.qname + target_field: dns.question.name + ignore_missing: true + - rename: + field: fortinet.firewall.qtype + target_field: dns.question.type + ignore_missing: true + - rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true + - rename: + field: fortinet.firewall.xid + target_field: dns.id + ignore_missing: true + - rename: + field: fortinet.firewall.scertcname + target_field: tls.server.x509.subject.common_name + ignore_missing: true + - rename: + field: fortinet.firewall.scertissuer + target_field: tls.server.issuer + ignore_missing: true + - set: + field: tls.server.x509.issuer.common_name + value: "{{tls.server.issuer}}" + ignore_empty_value: true + - rename: + field: fortinet.firewall.ccertissuer + target_field: tls.client.issuer + ignore_missing: true + - set: + field: tls.client.x509.issuer.common_name + value: "{{tls.client.issuer}}" + ignore_empty_value: true + - rename: + field: fortinet.firewall.sender + target_field: tls.server.issuer + ignore_missing: true + - rename: + field: fortinet.firewall.dtype + target_field: vulnerability.category + ignore_missing: true + - rename: + field: fortinet.firewall.ref + target_field: event.reference + ignore_missing: true + - rename: + field: fortinet.firewall.filehash + target_field: fortinet.file.hash.crc32 + ignore_missing: true + - append: + field: related.hash + value: "{{fortinet.file.hash.crc32}}" + if: "ctx.fortinet?.file?.hash?.crc32 != null" + - remove: + field: + - fortinet.firewall.dst_port + - fortinet.firewall.remport + - fortinet.firewall.dstport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.locport + - fortinet.firewall.src_port + - fortinet.firewall.srcport + - fortinet.firewall.sentbyte + - fortinet.firewall.filesize + - fortinet.firewall.dir + - fortinet.firewall.direction + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.1/data_stream/firewall/fields/agent.yml b/packages/fortinet/1.6.1/data_stream/firewall/fields/agent.yml new file mode 100755 index 0000000000..f6127c3e22 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/fields/agent.yml @@ -0,0 +1,183 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/fortinet/1.6.1/data_stream/firewall/fields/base-fields.yml b/packages/fortinet/1.6.1/data_stream/firewall/fields/base-fields.yml new file mode 100755 index 0000000000..40a2535111 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: fortinet +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fortinet.firewall +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/fortinet/1.6.1/data_stream/firewall/fields/beats.yml b/packages/fortinet/1.6.1/data_stream/firewall/fields/beats.yml new file mode 100755 index 0000000000..05a6db4740 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/fields/beats.yml @@ -0,0 +1,15 @@ +- description: Type of Filebeat input. + name: input.type + type: keyword +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset + type: long +- description: Path to the log file. + name: log.file.path + type: keyword +- description: Log message optimized for viewing in a log viewer. + name: event.message + type: text diff --git a/packages/fortinet/1.6.1/data_stream/firewall/fields/ecs.yml b/packages/fortinet/1.6.1/data_stream/firewall/fields/ecs.yml new file mode 100755 index 0000000000..125795c4d6 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/fields/ecs.yml @@ -0,0 +1,443 @@ +- description: Unique container id. + name: container.id + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: User email address. + name: destination.user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The email address of CC recipient + name: email.cc.address + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. + name: email.sender.address + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Name of the module this data is coming from. + If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. + name: event.module + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reference URL linking to additional information about this event. + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.reference + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: User email address. + name: source.user.email + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + name: tls.client.issuer + type: keyword +- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + name: tls.client.server_name + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.client.x509.issuer.common_name + type: keyword +- description: Subject of the issuer of the x.509 certificate presented by the server. + name: tls.server.issuer + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.server.x509.issuer.common_name + type: keyword +- description: List of common names (CN) of subject. + name: tls.server.x509.subject.common_name + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: |- + The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) + This field must be an array. + name: vulnerability.category + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/firewall/fields/fields.yml b/packages/fortinet/1.6.1/data_stream/firewall/fields/fields.yml new file mode 100755 index 0000000000..d7fa9c281c --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/fields/fields.yml @@ -0,0 +1,1727 @@ +- name: fortinet + type: group + fields: + - name: file.hash.crc32 + type: keyword + description: | + CRC32 Hash of file + - name: firewall + type: group + release: beta + fields: + - name: acct_stat + type: keyword + description: | + Accounting state (RADIUS) + - name: acktime + type: keyword + description: | + Alarm Acknowledge Time + - name: act + type: keyword + description: | + Action + - name: action + type: keyword + description: | + Status of the session + - name: activity + type: keyword + description: | + HA activity message + - name: addr + type: ip + description: | + IP Address + - name: addr_type + type: keyword + description: | + Address Type + - name: addrgrp + type: keyword + description: | + Address Group + - name: adgroup + type: keyword + description: | + AD Group Name + - name: admin + type: keyword + description: | + Admin User + - name: age + type: integer + description: | + Time in seconds - time passed since last seen + - name: agent + type: keyword + description: | + User agent - eg. agent="Mozilla/5.0" + - name: alarmid + type: integer + description: | + Alarm ID + - name: alert + type: keyword + description: | + Alert + - name: analyticscksum + type: keyword + description: | + The checksum of the file submitted for analytics + - name: analyticssubmit + type: keyword + description: | + The flag for analytics submission + - name: ap + type: keyword + description: | + Access Point + - name: app-type + type: keyword + description: | + Address Type + - name: appact + type: keyword + description: | + The security action from app control + - name: appid + type: integer + description: | + Application ID + - name: applist + type: keyword + description: | + Application Control profile + - name: apprisk + type: keyword + description: | + Application Risk Level + - name: apscan + type: keyword + description: | + The name of the AP, which scanned and detected the rogue AP + - name: apsn + type: keyword + description: | + Access Point + - name: apstatus + type: keyword + description: | + Access Point status + - name: aptype + type: keyword + description: | + Access Point type + - name: assigned + type: ip + description: | + Assigned IP Address + - name: assignip + type: ip + description: | + Assigned IP Address + - name: attachment + type: keyword + description: | + The flag for email attachement + - name: attack + type: keyword + description: | + Attack Name + - name: attackcontext + type: keyword + description: | + The trigger patterns and the packetdata with base64 encoding + - name: attackcontextid + type: keyword + description: | + Attack context id / total + - name: attackid + type: integer + description: | + Attack ID + - name: auditid + type: long + description: | + Audit ID + - name: auditscore + type: keyword + description: | + The Audit Score + - name: audittime + type: long + description: | + The time of the audit + - name: authgrp + type: keyword + description: | + Authorization Group + - name: authid + type: keyword + description: | + Authentication ID + - name: authproto + type: keyword + description: | + The protocol that initiated the authentication + - name: authserver + type: keyword + description: | + Authentication server + - name: bandwidth + type: keyword + description: | + Bandwidth + - name: banned_rule + type: keyword + description: | + NAC quarantine Banned Rule Name + - name: banned_src + type: keyword + description: | + NAC quarantine Banned Source IP + - name: banword + type: keyword + description: | + Banned word + - name: botnetdomain + type: keyword + description: | + Botnet Domain Name + - name: botnetip + type: ip + description: | + Botnet IP Address + - name: bssid + type: keyword + description: | + Service Set ID + - name: call_id + type: keyword + description: | + Caller ID + - name: carrier_ep + type: keyword + description: | + The FortiOS Carrier end-point identification + - name: cat + type: integer + description: | + DNS category ID + - name: category + type: keyword + description: | + Authentication category + - name: cc + type: keyword + description: | + CC Email Address + - name: cdrcontent + type: keyword + description: | + Cdrcontent + - name: centralnatid + type: integer + description: | + Central NAT ID + - name: cert + type: keyword + description: | + Certificate + - name: cert-type + type: keyword + description: | + Certificate type + - name: certhash + type: keyword + description: | + Certificate hash + - name: cfgattr + type: keyword + description: | + Configuration attribute + - name: cfgobj + type: keyword + description: | + Configuration object + - name: cfgpath + type: keyword + description: | + Configuration path + - name: cfgtid + type: keyword + description: | + Configuration transaction ID + - name: cfgtxpower + type: integer + description: | + Configuration TX power + - name: channel + type: integer + description: | + Wireless Channel + - name: channeltype + type: keyword + description: | + SSH channel type + - name: chassisid + type: integer + description: | + Chassis ID + - name: checksum + type: keyword + description: | + The checksum of the scanned file + - name: chgheaders + type: keyword + description: | + HTTP Headers + - name: cldobjid + type: keyword + description: | + Connector object ID + - name: client_addr + type: keyword + description: | + Wifi client address + - name: cloudaction + type: keyword + description: | + Cloud Action + - name: clouduser + type: keyword + description: | + Cloud User + - name: column + type: integer + description: | + VOIP Column + - name: command + type: keyword + description: | + CLI Command + - name: community + type: keyword + description: | + SNMP Community + - name: configcountry + type: keyword + description: | + Configuration country + - name: connection_type + type: keyword + description: | + FortiClient Connection Type + - name: conserve + type: keyword + description: | + Flag for conserve mode + - name: constraint + type: keyword + description: | + WAF http protocol restrictions + - name: contentdisarmed + type: keyword + description: | + Email scanned content + - name: contenttype + type: keyword + description: | + Content Type from HTTP header + - name: cookies + type: keyword + description: | + VPN Cookie + - name: count + type: integer + description: | + Counts of action type + - name: countapp + type: integer + description: | + Number of App Ctrl logs associated with the session + - name: countav + type: integer + description: | + Number of AV logs associated with the session + - name: countcifs + type: integer + description: | + Number of CIFS logs associated with the session + - name: countdlp + type: integer + description: | + Number of DLP logs associated with the session + - name: countdns + type: integer + description: | + Number of DNS logs associated with the session + - name: countemail + type: integer + description: | + Number of email logs associated with the session + - name: countff + type: integer + description: | + Number of ff logs associated with the session + - name: countips + type: integer + description: | + Number of IPS logs associated with the session + - name: countssh + type: integer + description: | + Number of SSH logs associated with the session + - name: countssl + type: integer + description: | + Number of SSL logs associated with the session + - name: countwaf + type: integer + description: | + Number of WAF logs associated with the session + - name: countweb + type: integer + description: | + Number of Web filter logs associated with the session + - name: cpu + type: integer + description: | + CPU Usage + - name: craction + type: integer + description: | + Client Reputation Action + - name: criticalcount + type: integer + description: | + Number of critical ratings + - name: crl + type: keyword + description: | + Client Reputation Level + - name: crlevel + type: keyword + description: | + Client Reputation Level + - name: crscore + type: integer + description: | + Some description + - name: cveid + type: keyword + description: | + CVE ID + - name: daemon + type: keyword + description: | + Daemon name + - name: datarange + type: keyword + description: | + Data range for reports + - name: date + type: keyword + description: | + Date + - name: ddnsserver + type: ip + description: | + DDNS server + - name: desc + type: keyword + description: | + Description + - name: detectionmethod + type: keyword + description: | + Detection method + - name: devcategory + type: keyword + description: | + Device category + - name: devintfname + type: keyword + description: | + HA device Interface Name + - name: devtype + type: keyword + description: | + Device type + - name: dhcp_msg + type: keyword + description: | + DHCP Message + - name: dintf + type: keyword + description: | + Destination interface + - name: disk + type: keyword + description: | + Assosciated disk + - name: disklograte + type: long + description: | + Disk logging rate + - name: dlpextra + type: keyword + description: | + DLP extra information + - name: docsource + type: keyword + description: | + DLP fingerprint document source + - name: domainctrlauthstate + type: integer + description: | + CIFS domain auth state + - name: domainctrlauthtype + type: integer + description: | + CIFS domain auth type + - name: domainctrldomain + type: keyword + description: | + CIFS domain auth domain + - name: domainctrlip + type: ip + description: | + CIFS Domain IP + - name: domainctrlname + type: keyword + description: | + CIFS Domain name + - name: domainctrlprotocoltype + type: integer + description: | + CIFS Domain connection protocol + - name: domainctrlusername + type: keyword + description: | + CIFS Domain username + - name: domainfilteridx + type: integer + description: | + Domain filter ID + - name: domainfilterlist + type: keyword + description: | + Domain filter name + - name: ds + type: keyword + description: | + Direction with distribution system + - name: dst_int + type: keyword + description: | + Destination interface + - name: dstintfrole + type: keyword + description: | + Destination interface role + - name: dstcountry + type: keyword + description: | + Destination country + - name: dstdevcategory + type: keyword + description: | + Destination device category + - name: dstdevtype + type: keyword + description: | + Destination device type + - name: dstfamily + type: keyword + description: | + Destination OS family + - name: dsthwvendor + type: keyword + description: | + Destination HW vendor + - name: dsthwversion + type: keyword + description: | + Destination HW version + - name: dstinetsvc + type: keyword + description: | + Destination interface service + - name: dstosname + type: keyword + description: | + Destination OS name + - name: dstosversion + type: keyword + description: | + Destination OS version + - name: dstserver + type: integer + description: | + Destination server + - name: dstssid + type: keyword + description: | + Destination SSID + - name: dstswversion + type: keyword + description: | + Destination software version + - name: dstunauthusersource + type: keyword + description: | + Destination unauthenticated source + - name: dstuuid + type: keyword + description: | + UUID of the Destination IP address + - name: duid + type: keyword + description: | + DHCP UID + - name: eapolcnt + type: integer + description: | + EAPOL packet count + - name: eapoltype + type: keyword + description: | + EAPOL packet type + - name: encrypt + type: integer + description: | + Whether the packet is encrypted or not + - name: encryption + type: keyword + description: | + Encryption method + - name: epoch + type: integer + description: | + Epoch used for locating file + - name: espauth + type: keyword + description: | + ESP Authentication + - name: esptransform + type: keyword + description: | + ESP Transform + - name: exch + type: keyword + description: | + Mail Exchanges from DNS response answer section + - name: exchange + type: keyword + description: | + Mail Exchanges from DNS response answer section + - name: expectedsignature + type: keyword + description: | + Expected SSL signature + - name: expiry + type: keyword + description: | + FortiGuard override expiry timestamp + - name: fams_pause + type: integer + description: | + Fortinet Analysis and Management Service Pause + - name: fazlograte + type: long + description: | + FortiAnalyzer Logging Rate + - name: fctemssn + type: keyword + description: | + FortiClient Endpoint SSN + - name: fctuid + type: keyword + description: | + FortiClient UID + - name: field + type: keyword + description: | + NTP status field + - name: filefilter + type: keyword + description: | + The filter used to identify the affected file + - name: filehashsrc + type: keyword + description: | + Filehash source + - name: filtercat + type: keyword + description: | + DLP filter category + - name: filteridx + type: integer + description: | + DLP filter ID + - name: filtername + type: keyword + description: | + DLP rule name + - name: filtertype + type: keyword + description: | + DLP filter type + - name: fortiguardresp + type: keyword + description: | + Antispam ESP value + - name: forwardedfor + type: keyword + description: | + Email address forwarded + - name: fqdn + type: keyword + description: | + FQDN + - name: frametype + type: keyword + description: | + Wireless frametype + - name: freediskstorage + type: integer + description: | + Free disk integer + - name: from + type: keyword + description: | + From email address + - name: from_vcluster + type: integer + description: | + Source virtual cluster number + - name: fsaverdict + type: keyword + description: | + FSA verdict + - name: fwserver_name + type: keyword + description: | + Web proxy server name + - name: gateway + type: ip + description: | + Gateway ip address for PPPoE status report + - name: green + type: keyword + description: | + Memory status + - name: groupid + type: integer + description: | + User Group ID + - name: ha-prio + type: integer + description: | + HA Priority + - name: ha_group + type: keyword + description: | + HA Group + - name: ha_role + type: keyword + description: | + HA Role + - name: handshake + type: keyword + description: | + SSL Handshake + - name: hash + type: keyword + description: | + Hash value of downloaded file + - name: hbdn_reason + type: keyword + description: | + Heartbeat down reason + - name: highcount + type: integer + description: | + Highcount fabric summary + - name: host + type: keyword + description: | + Hostname + - name: iaid + type: keyword + description: | + DHCPv6 id + - name: icmpcode + type: keyword + description: | + Destination Port of the ICMP message + - name: icmpid + type: keyword + description: | + Source port of the ICMP message + - name: icmptype + type: keyword + description: | + The type of ICMP message + - name: identifier + type: integer + description: | + Network traffic identifier + - name: in_spi + type: keyword + description: | + IPSEC inbound SPI + - name: incidentserialno + type: integer + description: | + Incident serial number + - name: infected + type: integer + description: | + Infected MMS + - name: infectedfilelevel + type: integer + description: | + DLP infected file level + - name: informationsource + type: keyword + description: | + Information source + - name: init + type: keyword + description: | + IPSEC init stage + - name: initiator + type: keyword + description: | + Original login user name for Fortiguard override + - name: interface + type: keyword + description: | + Related interface + - name: intf + type: keyword + description: | + Related interface + - name: invalidmac + type: keyword + description: | + The MAC address with invalid OUI + - name: ip + type: ip + description: | + Related IP + - name: iptype + type: keyword + description: | + Related IP type + - name: keyword + type: keyword + description: | + Keyword used for search + - name: kind + type: keyword + description: | + VOIP kind + - name: lanin + type: long + description: | + LAN incoming traffic in bytes + - name: lanout + type: long + description: | + LAN outbound traffic in bytes + - name: lease + type: integer + description: | + DHCP lease + - name: license_limit + type: keyword + description: | + Maximum Number of FortiClients for the License + - name: limit + type: integer + description: | + Virtual Domain Resource Limit + - name: line + type: keyword + description: | + VOIP line + - name: live + type: integer + description: | + Time in seconds + - name: local + type: ip + description: | + Local IP for a PPPD Connection + - name: log + type: keyword + description: | + Log message + - name: login + type: keyword + description: | + SSH login + - name: lowcount + type: integer + description: | + Fabric lowcount + - name: mac + type: keyword + description: | + DHCP mac address + - name: malform_data + type: integer + description: | + VOIP malformed data + - name: malform_desc + type: keyword + description: | + VOIP malformed data description + - name: manuf + type: keyword + description: | + Manufacturer name + - name: masterdstmac + type: keyword + description: | + Master mac address for a host with multiple network interfaces + - name: mastersrcmac + type: keyword + description: | + The master MAC address for a host that has multiple network interfaces + - name: mediumcount + type: integer + description: | + Fabric medium count + - name: mem + type: integer + description: | + Memory usage system statistics + - name: meshmode + type: keyword + description: | + Wireless mesh mode + - name: message_type + type: keyword + description: | + VOIP message type + - name: method + type: keyword + description: | + HTTP method + - name: mgmtcnt + type: integer + description: | + The number of unauthorized client flooding managemet frames + - name: mode + type: keyword + description: | + IPSEC mode + - name: module + type: keyword + description: | + PCI-DSS module + - name: monitor-name + type: keyword + description: | + Health Monitor Name + - name: monitor-type + type: keyword + description: | + Health Monitor Type + - name: mpsk + type: keyword + description: | + Wireless MPSK + - name: msgproto + type: keyword + description: | + Message Protocol Number + - name: mtu + type: integer + description: | + Max Transmission Unit Value + - name: name + type: keyword + description: | + Name + - name: nat + type: keyword + description: | + NAT IP Address + - name: netid + type: keyword + description: | + Connector NetID + - name: new_status + type: keyword + description: | + New status on user change + - name: new_value + type: keyword + description: | + New Virtual Domain Name + - name: newchannel + type: integer + description: | + New Channel Number + - name: newchassisid + type: integer + description: | + New Chassis ID + - name: newslot + type: integer + description: | + New Slot Number + - name: nextstat + type: integer + description: | + Time interval in seconds for the next statistics. + - name: nf_type + type: keyword + description: | + Notification Type + - name: noise + type: integer + description: | + Wifi Noise + - name: old_status + type: keyword + description: | + Original Status + - name: old_value + type: keyword + description: | + Original Virtual Domain name + - name: oldchannel + type: integer + description: | + Original channel + - name: oldchassisid + type: integer + description: | + Original Chassis Number + - name: oldslot + type: integer + description: | + Original Slot Number + - name: oldsn + type: keyword + description: | + Old Serial number + - name: oldwprof + type: keyword + description: | + Old Web Filter Profile + - name: onwire + type: keyword + description: | + A flag to indicate if the AP is onwire or not + - name: opercountry + type: keyword + description: | + Operating Country + - name: opertxpower + type: integer + description: | + Operating TX power + - name: osname + type: keyword + description: | + Operating System name + - name: osversion + type: keyword + description: | + Operating System version + - name: out_spi + type: keyword + description: | + Out SPI + - name: outintf + type: keyword + description: | + Out interface + - name: passedcount + type: integer + description: | + Fabric passed count + - name: passwd + type: keyword + description: | + Changed user password information + - name: path + type: keyword + description: | + Path of looped configuration for security fabric + - name: peer + type: keyword + description: | + WAN optimization peer + - name: peer_notif + type: keyword + description: | + VPN peer notification + - name: phase2_name + type: keyword + description: | + VPN phase2 name + - name: phone + type: keyword + description: | + VOIP Phone + - name: pid + type: integer + description: | + Process ID + - name: policytype + type: keyword + description: | + Policy Type + - name: poolname + type: keyword + description: | + IP Pool name + - name: port + type: integer + description: | + Log upload error port + - name: portbegin + type: integer + description: | + IP Pool port number to begin + - name: portend + type: integer + description: | + IP Pool port number to end + - name: probeproto + type: keyword + description: | + Link Monitor Probe Protocol + - name: process + type: keyword + description: | + URL Filter process + - name: processtime + type: integer + description: | + Process time for reports + - name: profile + type: keyword + description: | + Profile Name + - name: profile_vd + type: keyword + description: | + Virtual Domain Name + - name: profilegroup + type: keyword + description: | + Profile Group Name + - name: profiletype + type: keyword + description: | + Profile Type + - name: qtypeval + type: integer + description: | + DNS question type value + - name: quarskip + type: keyword + description: | + Quarantine skip explanation + - name: quotaexceeded + type: keyword + description: | + If quota has been exceeded + - name: quotamax + type: long + description: | + Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + - name: quotatype + type: keyword + description: | + Quota type + - name: quotaused + type: long + description: | + Quota used - in seconds if time-based - in bytes if trafficbased) + - name: radioband + type: keyword + description: | + Radio band + - name: radioid + type: integer + description: | + Radio ID + - name: radioidclosest + type: integer + description: | + Radio ID on the AP closest the rogue AP + - name: radioiddetected + type: integer + description: | + Radio ID on the AP which detected the rogue AP + - name: rate + type: keyword + description: | + Wireless rogue rate value + - name: rawdata + type: keyword + description: | + Raw data value + - name: rawdataid + type: keyword + description: | + Raw data ID + - name: rcvddelta + type: keyword + description: | + Received bytes delta + - name: reason + type: keyword + description: | + Alert reason + - name: received + type: integer + description: | + Server key exchange received + - name: receivedsignature + type: keyword + description: | + Server key exchange received signature + - name: red + type: keyword + description: | + Memory information in red + - name: referralurl + type: keyword + description: | + Web filter referralurl + - name: remote + type: ip + description: | + Remote PPP IP address + - name: remotewtptime + type: keyword + description: | + Remote Wifi Radius authentication time + - name: reporttype + type: keyword + description: | + Report type + - name: reqtype + type: keyword + description: | + Request type + - name: request_name + type: keyword + description: | + VOIP request name + - name: result + type: keyword + description: | + VPN phase result + - name: role + type: keyword + description: | + VPN Phase 2 role + - name: rssi + type: integer + description: | + Received signal strength indicator + - name: rsso_key + type: keyword + description: | + RADIUS SSO attribute value + - name: ruledata + type: keyword + description: | + Rule data + - name: ruletype + type: keyword + description: | + Rule type + - name: scanned + type: integer + description: | + Number of Scanned MMSs + - name: scantime + type: long + description: | + Scanned time + - name: scope + type: keyword + description: | + FortiGuard Override Scope + - name: security + type: keyword + description: | + Wireless rogue security + - name: sensitivity + type: keyword + description: | + Sensitivity for document fingerprint + - name: sensor + type: keyword + description: | + NAC Sensor Name + - name: sentdelta + type: keyword + description: | + Sent bytes delta + - name: seq + type: keyword + description: | + Sequence number + - name: serial + type: keyword + description: | + WAN optimisation serial + - name: serialno + type: keyword + description: | + Serial number + - name: server + type: keyword + description: | + AD server FQDN or IP + - name: session_id + type: keyword + description: | + Session ID + - name: sessionid + type: integer + description: | + WAD Session ID + - name: setuprate + type: long + description: | + Session Setup Rate + - name: severity + type: keyword + description: | + Severity + - name: shaperdroprcvdbyte + type: integer + description: | + Received bytes dropped by shaper + - name: shaperdropsentbyte + type: integer + description: | + Sent bytes dropped by shaper + - name: shaperperipdropbyte + type: integer + description: | + Dropped bytes per IP by shaper + - name: shaperperipname + type: keyword + description: | + Traffic shaper name (per IP) + - name: shaperrcvdname + type: keyword + description: | + Traffic shaper name for received traffic + - name: shapersentname + type: keyword + description: | + Traffic shaper name for sent traffic + - name: shapingpolicyid + type: integer + description: | + Traffic shaper policy ID + - name: signal + type: integer + description: | + Wireless rogue API signal + - name: size + type: long + description: | + Email size in bytes + - name: slot + type: integer + description: | + Slot number + - name: sn + type: keyword + description: | + Security fabric serial number + - name: snclosest + type: keyword + description: | + SN of the AP closest to the rogue AP + - name: sndetected + type: keyword + description: | + SN of the AP which detected the rogue AP + - name: snmeshparent + type: keyword + description: | + SN of the mesh parent + - name: spi + type: keyword + description: | + IPSEC SPI + - name: src_int + type: keyword + description: | + Source interface + - name: srcintfrole + type: keyword + description: | + Source interface role + - name: srccountry + type: keyword + description: | + Source country + - name: srcfamily + type: keyword + description: | + Source family + - name: srchwvendor + type: keyword + description: | + Source hardware vendor + - name: srchwversion + type: keyword + description: | + Source hardware version + - name: srcinetsvc + type: keyword + description: | + Source interface service + - name: srcname + type: keyword + description: | + Source name + - name: srcserver + type: integer + description: | + Source server + - name: srcssid + type: keyword + description: | + Source SSID + - name: srcswversion + type: keyword + description: | + Source software version + - name: srcuuid + type: keyword + description: | + Source UUID + - name: sscname + type: keyword + description: | + SSC name + - name: ssid + type: keyword + description: | + Base Service Set ID + - name: sslaction + type: keyword + description: | + SSL Action + - name: ssllocal + type: keyword + description: | + WAD SSL local + - name: sslremote + type: keyword + description: | + WAD SSL remote + - name: stacount + type: integer + description: | + Number of stations/clients + - name: stage + type: keyword + description: | + IPSEC stage + - name: stamac + type: keyword + description: | + 802.1x station mac + - name: state + type: keyword + description: | + Admin login state + - name: status + type: keyword + description: | + Status + - name: stitch + type: keyword + description: | + Automation stitch triggered + - name: subject + type: keyword + description: | + Email subject + - name: submodule + type: keyword + description: | + Configuration Sub-Module Name + - name: subservice + type: keyword + description: | + AV subservice + - name: subtype + type: keyword + description: | + Log subtype + - name: suspicious + type: integer + description: | + Number of Suspicious MMSs + - name: switchproto + type: keyword + description: | + Protocol change information + - name: sync_status + type: keyword + description: | + The sync status with the master + - name: sync_type + type: keyword + description: | + The sync type with the master + - name: sysuptime + type: keyword + description: | + System uptime + - name: tamac + type: keyword + description: | + the MAC address of Transmitter, if none, then Receiver + - name: threattype + type: keyword + description: | + WIDS threat type + - name: time + type: keyword + description: | + Time of the event + - name: to + type: keyword + description: | + Email to field + - name: to_vcluster + type: integer + description: | + destination virtual cluster number + - name: total + type: integer + description: | + Total memory + - name: totalsession + type: integer + description: | + Total Number of Sessions + - name: trace_id + type: keyword + description: | + Session clash trace ID + - name: trandisp + type: keyword + description: | + NAT translation type + - name: transid + type: integer + description: | + HTTP transaction ID + - name: translationid + type: keyword + description: | + DNS filter transaltion ID + - name: trigger + type: keyword + description: | + Automation stitch trigger + - name: trueclntip + type: ip + description: | + File filter true client IP + - name: tunnelid + type: integer + description: | + IPSEC tunnel ID + - name: tunnelip + type: ip + description: | + IPSEC tunnel IP + - name: tunneltype + type: keyword + description: | + IPSEC tunnel type + - name: type + type: keyword + description: | + Module type + - name: ui + type: keyword + description: | + Admin authentication UI type + - name: unauthusersource + type: keyword + description: | + Unauthenticated user source + - name: unit + type: integer + description: | + Power supply unit + - name: urlfilteridx + type: integer + description: | + URL filter ID + - name: urlfilterlist + type: keyword + description: | + URL filter list + - name: urlsource + type: keyword + description: | + URL filter source + - name: urltype + type: keyword + description: | + URL filter type + - name: used + type: integer + description: | + Number of Used IPs + - name: used_for_type + type: integer + description: | + Connection for the type + - name: utmaction + type: keyword + description: | + Security action performed by UTM + - name: vap + type: keyword + description: | + Virtual AP + - name: vapmode + type: keyword + description: | + Virtual AP mode + - name: vcluster + type: integer + description: | + virtual cluster id + - name: vcluster_member + type: integer + description: | + Virtual cluster member + - name: vcluster_state + type: keyword + description: | + Virtual cluster state + - name: vd + type: keyword + description: | + Virtual Domain Name + - name: vdname + type: keyword + description: | + Virtual Domain Name + - name: vendorurl + type: keyword + description: | + Vulnerability scan vendor name + - name: version + type: keyword + description: | + Version + - name: vip + type: keyword + description: | + Virtual IP + - name: virus + type: keyword + description: | + Virus name + - name: virusid + type: integer + description: | + Virus ID (unique virus identifier) + - name: voip_proto + type: keyword + description: | + VOIP protocol + - name: vpn + type: keyword + description: | + VPN description + - name: vpntunnel + type: keyword + description: | + IPsec Vpn Tunnel Name + - name: vpntype + type: keyword + description: | + The type of the VPN tunnel + - name: vrf + type: integer + description: | + VRF number + - name: vulncat + type: keyword + description: | + Vulnerability Category + - name: vulnid + type: integer + description: | + Vulnerability ID + - name: vulnname + type: keyword + description: | + Vulnerability name + - name: vwlid + type: integer + description: | + VWL ID + - name: vwlquality + type: keyword + description: | + VWL quality + - name: vwlservice + type: keyword + description: | + VWL service + - name: vwpvlanid + type: integer + description: | + VWP VLAN ID + - name: wanin + type: long + description: | + WAN incoming traffic in bytes + - name: wanoptapptype + type: keyword + description: | + WAN Optimization Application type + - name: wanout + type: long + description: | + WAN outgoing traffic in bytes + - name: weakwepiv + type: keyword + description: | + Weak Wep Initiation Vector + - name: xauthgroup + type: keyword + description: | + XAuth Group Name + - name: xauthuser + type: keyword + description: | + XAuth User Name + - name: xid + type: integer + description: | + Wireless X ID diff --git a/packages/fortinet/1.6.1/data_stream/firewall/manifest.yml b/packages/fortinet/1.6.1/data_stream/firewall/manifest.yml new file mode 100755 index 0000000000..e7b1e8797e --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/manifest.yml @@ -0,0 +1,189 @@ +type: logs +title: Fortinet firewall logs +streams: + - input: tcp + vars: + - name: syslog_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9004 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-firewall + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + template_path: tcp.yml.hbs + title: Fortinet firewall logs (tcp) + description: Collect Fortinet firewall logs using tcp input + - input: udp + vars: + - name: syslog_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9004 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-firewall + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: Fortinet firewall logs (udp) + description: Collect Fortinet firewall logs using udp input + - input: logfile + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: false + show_user: true + default: + - /var/log/fortinet-firewall.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-firewall + - forwarded + - name: internal_interfaces + type: text + title: Internal Interfaces + multi: true + required: false + show_user: false + - name: external_interfaces + type: text + title: External Interfaces + multi: true + required: false + show_user: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Fortinet firewall logs (log) + description: Collect Fortinet firewall logs using log input diff --git a/packages/fortinet/1.6.1/data_stream/firewall/sample_event.json b/packages/fortinet/1.6.1/data_stream/firewall/sample_event.json new file mode 100755 index 0000000000..c783c2938f --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/firewall/sample_event.json @@ -0,0 +1,143 @@ +{ + "@timestamp": "2019-05-15T18:03:36.000Z", + "agent": { + "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", + "hostname": "docker-fleet-agent", + "id": "2164018d-05cd-45b4-979d-4032bdd775f6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "data_stream": { + "dataset": "fortinet.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 41690, + "organization": { + "name": "Dailymotion S.A." + } + }, + "geo": { + "continent_name": "Europe", + "country_iso_code": "FR", + "country_name": "France", + "location": { + "lat": 48.8582, + "lon": 2.3387 + } + }, + "ip": "195.8.215.136", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "app-ctrl-all", + "category": [ + "network" + ], + "code": "1059028704", + "dataset": "fortinet.firewall", + "ingested": "2021-06-03T12:38:44.458586716Z", + "kind": "event", + "module": "fortinet", + "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", + "outcome": "success", + "start": "2019-05-16T01:03:35.000Z", + "type": [ + "allowed" + ] + }, + "fortinet": { + "firewall": { + "action": "pass", + "appid": "40568", + "apprisk": "medium", + "dstintfrole": "wan", + "incidentserialno": "1962906680", + "sessionid": "4414", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "type": "utm", + "vd": "root" + } + }, + "input": { + "type": "udp" + }, + "log": { + "level": "information", + "source": { + "address": "192.168.240.4:54617" + } + }, + "message": "Web.Client: HTTPS.BROWSER,", + "network": { + "application": "HTTPS.BROWSER", + "direction": "outbound", + "iana_number": "6", + "transport": "tcp", + "protocol": "https" + }, + "observer": { + "egress": { + "interface": { + "name": "port9" + } + }, + "ingress": { + "interface": { + "name": "port10" + } + }, + "product": "Fortigate", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "10.1.100.22", + "195.8.215.136" + ] + }, + "rule": { + "category": "Web-Client", + "id": "1", + "ruleset": "block-social.media" + }, + "source": { + "ip": "10.1.100.22", + "port": 50798 + }, + "tags": [ + "fortinet-firewall", + "forwarded", + "preserve_original_event" + ], + "tls": { + "server": { + "issuer": "DigiCert SHA2 High Assurance Server CA", + "x509": { + "issuer": { + "common_name": "DigiCert SHA2 High Assurance Server CA" + }, + "subject": { + "common_name": "*.dailymotion.com" + } + } + } + }, + "url": { + "domain": "www.dailymotion.com", + "path": "/" + } +} \ No newline at end of file diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/log.yml.hbs b/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..ebfe27d7c1 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/log.yml.hbs @@ -0,0 +1,4300 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiMail" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} ui=%{p0}"); + + var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); + + var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); + + var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); + + var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); + + var dup7 = setc("eventcategory","1401000000"); + + var dup8 = setf("msg","$MSG"); + + var dup9 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup10 = setf("hardware_id","hfld1"); + + var dup11 = setf("id","hfld2"); + + var dup12 = setf("id1","hfld3"); + + var dup13 = setf("event_type","msgIdPart1"); + + var dup14 = setf("category","msgIdPart2"); + + var dup15 = setf("severity","hseverity"); + + var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); + + var dup17 = setc("eventcategory","1602000000"); + + var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); + + var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); + + var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); + + var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); + + var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); + + var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); + + var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); + + var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); + + var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); + + var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); + + var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); + + var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); + + var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); + + var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); + + var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); + + var dup33 = setc("eventcategory","1003010000"); + + var dup34 = setf("event_type","messageid"); + + var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); + + var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); + + var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); + + var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); + + var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); + + var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); + + var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); + + var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + + var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + + var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + + var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + + var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + + var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + + var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + + var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + + var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + + var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + + var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + + var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + + var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + + var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + + var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + + var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + + var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + + var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + + var dup60 = setc("eventcategory","1207000000"); + + var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + + var dup62 = setc("eventcategory","1207040000"); + + var dup63 = linear_select([ + dup3, + dup4, + ]); + + var dup64 = linear_select([ + dup5, + dup6, + ]); + + var dup65 = linear_select([ + dup19, + dup20, + ]); + + var dup66 = linear_select([ + dup22, + dup23, + ]); + + var dup67 = linear_select([ + dup3, + dup20, + ]); + + var dup68 = linear_select([ + dup24, + dup25, + ]); + + var dup69 = linear_select([ + dup27, + dup28, + ]); + + var dup70 = linear_select([ + dup29, + dup30, + ]); + + var dup71 = linear_select([ + dup36, + dup37, + ]); + + var dup72 = linear_select([ + dup38, + dup39, + ]); + + var dup73 = linear_select([ + dup40, + dup41, + ]); + + var dup74 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var dup75 = linear_select([ + dup45, + dup46, + ]); + + var dup76 = linear_select([ + dup47, + dup48, + ]); + + var dup77 = linear_select([ + dup49, + dup50, + ]); + + var dup78 = linear_select([ + dup52, + dup53, + ]); + + var dup79 = linear_select([ + dup54, + dup55, + ]); + + var dup80 = linear_select([ + dup56, + dup57, + ]); + + var dup81 = linear_select([ + dup58, + dup59, + ]); + + var dup82 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); + + var all1 = all_match({ + processors: [ + dup2, + dup63, + part1, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg1 = msg("event_admin", all1); + + var msg2 = msg("event_pop3", dup82); + + var all2 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg3 = msg("event_webmail", all2); + + var msg4 = msg("event_system", dup82); + + var msg5 = msg("event_imap", dup82); + + var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); + + var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); + + var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); + + var select2 = linear_select([ + part3, + part4, + ]); + + var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); + + var all3 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part2, + select2, + part5, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg6 = msg("event_smtp:01", all3); + + var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); + + var all4 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg7 = msg("event_smtp:02", all4); + + var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); + + var all5 = all_match({ + processors: [ + dup18, + dup65, + part7, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg8 = msg("event_smtp:03", all5); + + var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); + + var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); + + var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); + + var select3 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); + + var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); + + var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); + + var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); + + var select4 = linear_select([ + part12, + part13, + part14, + ]); + + var all6 = all_match({ + processors: [ + part8, + select3, + part11, + select4, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg9 = msg("event_smtp:04", all6); + + var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); + + var all7 = all_match({ + processors: [ + dup18, + dup67, + part15, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg10 = msg("event_smtp:05", all7); + + var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); + + var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); + + var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); + + var select5 = linear_select([ + part17, + part18, + ]); + + var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); + + var all8 = all_match({ + processors: [ + dup18, + dup65, + part16, + select5, + part19, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg11 = msg("event_smtp:06", all8); + + var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); + + var all9 = all_match({ + processors: [ + dup18, + dup67, + part20, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg12 = msg("event_smtp:07", all9); + + var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); + + var all10 = all_match({ + processors: [ + dup18, + dup67, + part21, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg13 = msg("event_smtp:08", all10); + + var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); + + var all11 = all_match({ + processors: [ + dup18, + dup65, + part22, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg14 = msg("event_smtp:09", all11); + + var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); + + var all12 = all_match({ + processors: [ + dup18, + dup65, + part23, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + setc("dclass_counter1_string","count"), + ]), + }); + + var msg15 = msg("event_smtp:10", all12); + + var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); + + var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); + + var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); + + var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); + + var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); + + var select6 = linear_select([ + part25, + part26, + part27, + part28, + ]); + + var all13 = all_match({ + processors: [ + dup18, + dup65, + part24, + select6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg16 = msg("event_smtp:11", all13); + + var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup63, + part29, + dup68, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg17 = msg("event_smtp", all14); + + var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { + "action": "action", + "log_part": "id1", + "msg": "info", + "session_id": "sessionid", + "status": "event_state", + "ui": "network_service", + "user": "username", + }, processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ])); + + var msg18 = msg("event_smtp:12", part30); + + var select7 = linear_select([ + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + ]); + + var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); + + var all15 = all_match({ + processors: [ + part31, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg19 = msg("event_update", all15); + + var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); + + var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); + + var select8 = linear_select([ + part32, + part33, + ]); + + var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); + + var all16 = all_match({ + processors: [ + dup2, + select8, + part34, + dup64, + ], + on_success: processor_chain([ + setc("eventcategory","1701000000"), + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg20 = msg("event_config", all16); + + var select9 = linear_select([ + dup31, + dup32, + ]); + + var all17 = all_match({ + processors: [ + dup26, + dup69, + dup70, + select9, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg21 = msg("virus", all17); + + var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); + + var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); + + var select10 = linear_select([ + part35, + part36, + ]); + + var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); + + var all18 = all_match({ + processors: [ + dup26, + dup69, + select10, + part37, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup15, + ]), + }); + + var msg22 = msg("virus_infected", all18); + + var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); + + var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); + + var select11 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); + + var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); + + var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); + + var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); + + var select12 = linear_select([ + part40, + part41, + part42, + part43, + dup31, + dup32, + ]); + + var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); + + var select13 = linear_select([ + part44, + dup5, + dup6, + ]); + + var all19 = all_match({ + processors: [ + select11, + dup70, + select12, + dup68, + select13, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg23 = msg("virus_file-signature", all19); + + var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); + + var all20 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + part45, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg24 = msg("statistics", all20); + + var all21 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + dup61, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg25 = msg("statistics:01", all21); + + var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); + + var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); + + var select14 = linear_select([ + part46, + part47, + ]); + + var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); + + var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); + + var select15 = linear_select([ + part48, + part49, + ]); + + var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); + + var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); + + var select16 = linear_select([ + part50, + part51, + ]); + + var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); + + var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); + + var select17 = linear_select([ + part52, + part53, + ]); + + var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); + + var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); + + var select18 = linear_select([ + part54, + part55, + ]); + + var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); + + var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); + + var select19 = linear_select([ + part56, + part57, + ]); + + var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); + + var all22 = all_match({ + processors: [ + dup35, + dup71, + dup69, + dup76, + select14, + select15, + select16, + select17, + dup74, + dup61, + select18, + select19, + part58, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg26 = msg("statistics:02", all22); + + var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); + + var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); + + var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); + + var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); + + var select20 = linear_select([ + part60, + part61, + part62, + ]); + + var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); + + var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); + + var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); + + var select21 = linear_select([ + part64, + part65, + ]); + + var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); + + var all23 = all_match({ + processors: [ + part59, + select20, + part63, + select21, + part66, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg27 = msg("statistics:03", all23); + + var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); + + var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); + + var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); + + var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); + + var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); + + var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); + + var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); + + var select23 = linear_select([ + part69, + part70, + part71, + part72, + part73, + part74, + ]); + + var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); + + var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); + + var select24 = linear_select([ + part75, + part76, + ]); + + var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); + + var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); + + var select25 = linear_select([ + part77, + part78, + ]); + + var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); + + var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); + + var select26 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); + + var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); + + var select27 = linear_select([ + part81, + part82, + ]); + + var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); + + var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); + + var select28 = linear_select([ + part83, + part84, + ]); + + var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); + + var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); + + var select29 = linear_select([ + part85, + part86, + ]); + + var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); + + var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); + + var select30 = linear_select([ + part87, + part88, + ]); + + var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); + + var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); + + var select31 = linear_select([ + part89, + part90, + ]); + + var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); + + var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); + + var select32 = linear_select([ + part91, + part92, + ]); + + var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); + + var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); + + var select33 = linear_select([ + part93, + part94, + ]); + + var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); + + var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); + + var select34 = linear_select([ + part95, + part96, + ]); + + var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); + + var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); + + var select35 = linear_select([ + part97, + part98, + ]); + + var all24 = all_match({ + processors: [ + dup35, + select22, + select23, + select24, + select25, + select26, + select27, + select28, + select29, + select30, + select31, + select32, + select33, + dup78, + dup79, + select34, + select35, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg28 = msg("statistics:04", all24); + + var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { + "classifier": "filter", + "client_ip": "saddr", + "client_name": "fqdn", + "direction": "direction", + "disposition": "disposition", + "domain": "domain", + "dst_ip": "daddr", + "from": "from", + "hfrom": "fld3", + "mailer": "agent", + "message_length": "fld6", + "polid": "fld5", + "resolved": "context", + "session_id": "sessionid", + "src_type": "fld7", + "subject": "subject", + "to": "to", + "virus": "virusname", + }, processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg29 = msg("statistics:05", part99); + + var select36 = linear_select([ + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + ]); + + var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); + + var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); + + var select37 = linear_select([ + part100, + part101, + ]); + + var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); + + var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); + + var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); + + var select38 = linear_select([ + part103, + part104, + ]); + + var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); + + var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); + + var select39 = linear_select([ + part105, + part106, + ]); + + var all25 = all_match({ + processors: [ + dup35, + select37, + dup74, + part102, + dup69, + select38, + select39, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg30 = msg("spam", all25); + + var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg31 = msg("spam:04", part107); + + var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); + + var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); + + var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); + + var select40 = linear_select([ + part109, + part110, + ]); + + var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); + + var all26 = all_match({ + processors: [ + part108, + select40, + part111, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg32 = msg("spam:03", all26); + + var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg33 = msg("spam:02", part112); + + var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); + + var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); + + var select41 = linear_select([ + part113, + part114, + ]); + + var all27 = all_match({ + processors: [ + dup35, + dup71, + dup69, + select41, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg34 = msg("spam:01", all27); + + var select42 = linear_select([ + msg30, + msg31, + msg32, + msg33, + msg34, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_admin": msg1, + "event_config": msg20, + "event_imap": msg5, + "event_pop3": msg2, + "event_smtp": select7, + "event_system": msg4, + "event_update": msg19, + "event_webmail": msg3, + "spam": select42, + "statistics": select36, + "virus": msg21, + "virus_file-signature": msg23, + "virus_infected": msg22, + }), + ]); + + var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); + + var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); + + var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); + + var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); + + var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); + + var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); + + var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); + + var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); + + var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); + + var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); + + var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); + + var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); + + var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); + + var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); + + var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); + + var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); + + var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); + + var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); + + var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); + + var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); + + var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); + + var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); + + var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); + + var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); + + var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); + + var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); + + var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); + + var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); + + var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + + var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + + var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + + var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + + var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + + var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + + var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + + var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + + var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + + var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + + var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + + var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + + var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + + var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + + var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + + var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + + var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + + var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + + var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + + var select43 = linear_select([ + dup3, + dup4, + ]); + + var select44 = linear_select([ + dup5, + dup6, + ]); + + var select45 = linear_select([ + dup19, + dup20, + ]); + + var select46 = linear_select([ + dup22, + dup23, + ]); + + var select47 = linear_select([ + dup3, + dup20, + ]); + + var select48 = linear_select([ + dup24, + dup25, + ]); + + var select49 = linear_select([ + dup27, + dup28, + ]); + + var select50 = linear_select([ + dup29, + dup30, + ]); + + var select51 = linear_select([ + dup36, + dup37, + ]); + + var select52 = linear_select([ + dup38, + dup39, + ]); + + var select53 = linear_select([ + dup40, + dup41, + ]); + + var select54 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var select55 = linear_select([ + dup45, + dup46, + ]); + + var select56 = linear_select([ + dup47, + dup48, + ]); + + var select57 = linear_select([ + dup49, + dup50, + ]); + + var select58 = linear_select([ + dup52, + dup53, + ]); + + var select59 = linear_select([ + dup54, + dup55, + ]); + + var select60 = linear_select([ + dup56, + dup57, + ]); + + var select61 = linear_select([ + dup58, + dup59, + ]); + + var all28 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..e7783c73ac --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/tcp.yml.hbs @@ -0,0 +1,4297 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiMail" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} ui=%{p0}"); + + var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); + + var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); + + var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); + + var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); + + var dup7 = setc("eventcategory","1401000000"); + + var dup8 = setf("msg","$MSG"); + + var dup9 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup10 = setf("hardware_id","hfld1"); + + var dup11 = setf("id","hfld2"); + + var dup12 = setf("id1","hfld3"); + + var dup13 = setf("event_type","msgIdPart1"); + + var dup14 = setf("category","msgIdPart2"); + + var dup15 = setf("severity","hseverity"); + + var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); + + var dup17 = setc("eventcategory","1602000000"); + + var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); + + var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); + + var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); + + var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); + + var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); + + var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); + + var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); + + var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); + + var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); + + var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); + + var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); + + var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); + + var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); + + var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); + + var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); + + var dup33 = setc("eventcategory","1003010000"); + + var dup34 = setf("event_type","messageid"); + + var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); + + var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); + + var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); + + var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); + + var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); + + var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); + + var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); + + var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + + var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + + var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + + var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + + var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + + var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + + var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + + var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + + var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + + var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + + var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + + var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + + var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + + var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + + var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + + var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + + var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + + var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + + var dup60 = setc("eventcategory","1207000000"); + + var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + + var dup62 = setc("eventcategory","1207040000"); + + var dup63 = linear_select([ + dup3, + dup4, + ]); + + var dup64 = linear_select([ + dup5, + dup6, + ]); + + var dup65 = linear_select([ + dup19, + dup20, + ]); + + var dup66 = linear_select([ + dup22, + dup23, + ]); + + var dup67 = linear_select([ + dup3, + dup20, + ]); + + var dup68 = linear_select([ + dup24, + dup25, + ]); + + var dup69 = linear_select([ + dup27, + dup28, + ]); + + var dup70 = linear_select([ + dup29, + dup30, + ]); + + var dup71 = linear_select([ + dup36, + dup37, + ]); + + var dup72 = linear_select([ + dup38, + dup39, + ]); + + var dup73 = linear_select([ + dup40, + dup41, + ]); + + var dup74 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var dup75 = linear_select([ + dup45, + dup46, + ]); + + var dup76 = linear_select([ + dup47, + dup48, + ]); + + var dup77 = linear_select([ + dup49, + dup50, + ]); + + var dup78 = linear_select([ + dup52, + dup53, + ]); + + var dup79 = linear_select([ + dup54, + dup55, + ]); + + var dup80 = linear_select([ + dup56, + dup57, + ]); + + var dup81 = linear_select([ + dup58, + dup59, + ]); + + var dup82 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); + + var all1 = all_match({ + processors: [ + dup2, + dup63, + part1, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg1 = msg("event_admin", all1); + + var msg2 = msg("event_pop3", dup82); + + var all2 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg3 = msg("event_webmail", all2); + + var msg4 = msg("event_system", dup82); + + var msg5 = msg("event_imap", dup82); + + var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); + + var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); + + var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); + + var select2 = linear_select([ + part3, + part4, + ]); + + var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); + + var all3 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part2, + select2, + part5, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg6 = msg("event_smtp:01", all3); + + var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); + + var all4 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg7 = msg("event_smtp:02", all4); + + var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); + + var all5 = all_match({ + processors: [ + dup18, + dup65, + part7, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg8 = msg("event_smtp:03", all5); + + var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); + + var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); + + var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); + + var select3 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); + + var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); + + var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); + + var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); + + var select4 = linear_select([ + part12, + part13, + part14, + ]); + + var all6 = all_match({ + processors: [ + part8, + select3, + part11, + select4, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg9 = msg("event_smtp:04", all6); + + var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); + + var all7 = all_match({ + processors: [ + dup18, + dup67, + part15, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg10 = msg("event_smtp:05", all7); + + var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); + + var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); + + var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); + + var select5 = linear_select([ + part17, + part18, + ]); + + var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); + + var all8 = all_match({ + processors: [ + dup18, + dup65, + part16, + select5, + part19, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg11 = msg("event_smtp:06", all8); + + var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); + + var all9 = all_match({ + processors: [ + dup18, + dup67, + part20, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg12 = msg("event_smtp:07", all9); + + var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); + + var all10 = all_match({ + processors: [ + dup18, + dup67, + part21, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg13 = msg("event_smtp:08", all10); + + var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); + + var all11 = all_match({ + processors: [ + dup18, + dup65, + part22, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg14 = msg("event_smtp:09", all11); + + var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); + + var all12 = all_match({ + processors: [ + dup18, + dup65, + part23, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + setc("dclass_counter1_string","count"), + ]), + }); + + var msg15 = msg("event_smtp:10", all12); + + var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); + + var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); + + var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); + + var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); + + var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); + + var select6 = linear_select([ + part25, + part26, + part27, + part28, + ]); + + var all13 = all_match({ + processors: [ + dup18, + dup65, + part24, + select6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg16 = msg("event_smtp:11", all13); + + var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup63, + part29, + dup68, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg17 = msg("event_smtp", all14); + + var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { + "action": "action", + "log_part": "id1", + "msg": "info", + "session_id": "sessionid", + "status": "event_state", + "ui": "network_service", + "user": "username", + }, processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ])); + + var msg18 = msg("event_smtp:12", part30); + + var select7 = linear_select([ + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + ]); + + var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); + + var all15 = all_match({ + processors: [ + part31, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg19 = msg("event_update", all15); + + var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); + + var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); + + var select8 = linear_select([ + part32, + part33, + ]); + + var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); + + var all16 = all_match({ + processors: [ + dup2, + select8, + part34, + dup64, + ], + on_success: processor_chain([ + setc("eventcategory","1701000000"), + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg20 = msg("event_config", all16); + + var select9 = linear_select([ + dup31, + dup32, + ]); + + var all17 = all_match({ + processors: [ + dup26, + dup69, + dup70, + select9, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg21 = msg("virus", all17); + + var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); + + var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); + + var select10 = linear_select([ + part35, + part36, + ]); + + var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); + + var all18 = all_match({ + processors: [ + dup26, + dup69, + select10, + part37, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup15, + ]), + }); + + var msg22 = msg("virus_infected", all18); + + var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); + + var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); + + var select11 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); + + var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); + + var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); + + var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); + + var select12 = linear_select([ + part40, + part41, + part42, + part43, + dup31, + dup32, + ]); + + var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); + + var select13 = linear_select([ + part44, + dup5, + dup6, + ]); + + var all19 = all_match({ + processors: [ + select11, + dup70, + select12, + dup68, + select13, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg23 = msg("virus_file-signature", all19); + + var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); + + var all20 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + part45, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg24 = msg("statistics", all20); + + var all21 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + dup61, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg25 = msg("statistics:01", all21); + + var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); + + var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); + + var select14 = linear_select([ + part46, + part47, + ]); + + var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); + + var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); + + var select15 = linear_select([ + part48, + part49, + ]); + + var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); + + var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); + + var select16 = linear_select([ + part50, + part51, + ]); + + var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); + + var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); + + var select17 = linear_select([ + part52, + part53, + ]); + + var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); + + var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); + + var select18 = linear_select([ + part54, + part55, + ]); + + var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); + + var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); + + var select19 = linear_select([ + part56, + part57, + ]); + + var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); + + var all22 = all_match({ + processors: [ + dup35, + dup71, + dup69, + dup76, + select14, + select15, + select16, + select17, + dup74, + dup61, + select18, + select19, + part58, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg26 = msg("statistics:02", all22); + + var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); + + var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); + + var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); + + var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); + + var select20 = linear_select([ + part60, + part61, + part62, + ]); + + var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); + + var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); + + var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); + + var select21 = linear_select([ + part64, + part65, + ]); + + var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); + + var all23 = all_match({ + processors: [ + part59, + select20, + part63, + select21, + part66, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg27 = msg("statistics:03", all23); + + var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); + + var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); + + var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); + + var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); + + var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); + + var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); + + var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); + + var select23 = linear_select([ + part69, + part70, + part71, + part72, + part73, + part74, + ]); + + var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); + + var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); + + var select24 = linear_select([ + part75, + part76, + ]); + + var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); + + var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); + + var select25 = linear_select([ + part77, + part78, + ]); + + var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); + + var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); + + var select26 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); + + var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); + + var select27 = linear_select([ + part81, + part82, + ]); + + var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); + + var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); + + var select28 = linear_select([ + part83, + part84, + ]); + + var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); + + var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); + + var select29 = linear_select([ + part85, + part86, + ]); + + var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); + + var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); + + var select30 = linear_select([ + part87, + part88, + ]); + + var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); + + var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); + + var select31 = linear_select([ + part89, + part90, + ]); + + var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); + + var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); + + var select32 = linear_select([ + part91, + part92, + ]); + + var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); + + var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); + + var select33 = linear_select([ + part93, + part94, + ]); + + var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); + + var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); + + var select34 = linear_select([ + part95, + part96, + ]); + + var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); + + var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); + + var select35 = linear_select([ + part97, + part98, + ]); + + var all24 = all_match({ + processors: [ + dup35, + select22, + select23, + select24, + select25, + select26, + select27, + select28, + select29, + select30, + select31, + select32, + select33, + dup78, + dup79, + select34, + select35, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg28 = msg("statistics:04", all24); + + var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { + "classifier": "filter", + "client_ip": "saddr", + "client_name": "fqdn", + "direction": "direction", + "disposition": "disposition", + "domain": "domain", + "dst_ip": "daddr", + "from": "from", + "hfrom": "fld3", + "mailer": "agent", + "message_length": "fld6", + "polid": "fld5", + "resolved": "context", + "session_id": "sessionid", + "src_type": "fld7", + "subject": "subject", + "to": "to", + "virus": "virusname", + }, processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg29 = msg("statistics:05", part99); + + var select36 = linear_select([ + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + ]); + + var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); + + var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); + + var select37 = linear_select([ + part100, + part101, + ]); + + var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); + + var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); + + var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); + + var select38 = linear_select([ + part103, + part104, + ]); + + var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); + + var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); + + var select39 = linear_select([ + part105, + part106, + ]); + + var all25 = all_match({ + processors: [ + dup35, + select37, + dup74, + part102, + dup69, + select38, + select39, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg30 = msg("spam", all25); + + var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg31 = msg("spam:04", part107); + + var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); + + var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); + + var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); + + var select40 = linear_select([ + part109, + part110, + ]); + + var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); + + var all26 = all_match({ + processors: [ + part108, + select40, + part111, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg32 = msg("spam:03", all26); + + var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg33 = msg("spam:02", part112); + + var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); + + var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); + + var select41 = linear_select([ + part113, + part114, + ]); + + var all27 = all_match({ + processors: [ + dup35, + dup71, + dup69, + select41, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg34 = msg("spam:01", all27); + + var select42 = linear_select([ + msg30, + msg31, + msg32, + msg33, + msg34, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_admin": msg1, + "event_config": msg20, + "event_imap": msg5, + "event_pop3": msg2, + "event_smtp": select7, + "event_system": msg4, + "event_update": msg19, + "event_webmail": msg3, + "spam": select42, + "statistics": select36, + "virus": msg21, + "virus_file-signature": msg23, + "virus_infected": msg22, + }), + ]); + + var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); + + var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); + + var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); + + var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); + + var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); + + var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); + + var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); + + var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); + + var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); + + var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); + + var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); + + var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); + + var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); + + var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); + + var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); + + var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); + + var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); + + var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); + + var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); + + var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); + + var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); + + var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); + + var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); + + var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); + + var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); + + var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); + + var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); + + var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); + + var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + + var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + + var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + + var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + + var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + + var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + + var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + + var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + + var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + + var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + + var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + + var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + + var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + + var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + + var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + + var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + + var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + + var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + + var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + + var select43 = linear_select([ + dup3, + dup4, + ]); + + var select44 = linear_select([ + dup5, + dup6, + ]); + + var select45 = linear_select([ + dup19, + dup20, + ]); + + var select46 = linear_select([ + dup22, + dup23, + ]); + + var select47 = linear_select([ + dup3, + dup20, + ]); + + var select48 = linear_select([ + dup24, + dup25, + ]); + + var select49 = linear_select([ + dup27, + dup28, + ]); + + var select50 = linear_select([ + dup29, + dup30, + ]); + + var select51 = linear_select([ + dup36, + dup37, + ]); + + var select52 = linear_select([ + dup38, + dup39, + ]); + + var select53 = linear_select([ + dup40, + dup41, + ]); + + var select54 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var select55 = linear_select([ + dup45, + dup46, + ]); + + var select56 = linear_select([ + dup47, + dup48, + ]); + + var select57 = linear_select([ + dup49, + dup50, + ]); + + var select58 = linear_select([ + dup52, + dup53, + ]); + + var select59 = linear_select([ + dup54, + dup55, + ]); + + var select60 = linear_select([ + dup56, + dup57, + ]); + + var select61 = linear_select([ + dup58, + dup59, + ]); + + var all28 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..2cd8466da0 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/agent/stream/udp.yml.hbs @@ -0,0 +1,4297 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiMail" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} ui=%{p0}"); + + var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); + + var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); + + var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); + + var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); + + var dup7 = setc("eventcategory","1401000000"); + + var dup8 = setf("msg","$MSG"); + + var dup9 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup10 = setf("hardware_id","hfld1"); + + var dup11 = setf("id","hfld2"); + + var dup12 = setf("id1","hfld3"); + + var dup13 = setf("event_type","msgIdPart1"); + + var dup14 = setf("category","msgIdPart2"); + + var dup15 = setf("severity","hseverity"); + + var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); + + var dup17 = setc("eventcategory","1602000000"); + + var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); + + var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); + + var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); + + var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); + + var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); + + var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); + + var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); + + var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); + + var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); + + var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); + + var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); + + var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); + + var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); + + var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); + + var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); + + var dup33 = setc("eventcategory","1003010000"); + + var dup34 = setf("event_type","messageid"); + + var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); + + var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); + + var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); + + var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); + + var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); + + var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); + + var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); + + var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + + var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + + var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + + var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + + var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + + var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + + var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + + var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + + var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + + var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + + var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + + var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + + var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + + var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + + var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + + var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + + var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + + var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + + var dup60 = setc("eventcategory","1207000000"); + + var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + + var dup62 = setc("eventcategory","1207040000"); + + var dup63 = linear_select([ + dup3, + dup4, + ]); + + var dup64 = linear_select([ + dup5, + dup6, + ]); + + var dup65 = linear_select([ + dup19, + dup20, + ]); + + var dup66 = linear_select([ + dup22, + dup23, + ]); + + var dup67 = linear_select([ + dup3, + dup20, + ]); + + var dup68 = linear_select([ + dup24, + dup25, + ]); + + var dup69 = linear_select([ + dup27, + dup28, + ]); + + var dup70 = linear_select([ + dup29, + dup30, + ]); + + var dup71 = linear_select([ + dup36, + dup37, + ]); + + var dup72 = linear_select([ + dup38, + dup39, + ]); + + var dup73 = linear_select([ + dup40, + dup41, + ]); + + var dup74 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var dup75 = linear_select([ + dup45, + dup46, + ]); + + var dup76 = linear_select([ + dup47, + dup48, + ]); + + var dup77 = linear_select([ + dup49, + dup50, + ]); + + var dup78 = linear_select([ + dup52, + dup53, + ]); + + var dup79 = linear_select([ + dup54, + dup55, + ]); + + var dup80 = linear_select([ + dup56, + dup57, + ]); + + var dup81 = linear_select([ + dup58, + dup59, + ]); + + var dup82 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); + + var all1 = all_match({ + processors: [ + dup2, + dup63, + part1, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg1 = msg("event_admin", all1); + + var msg2 = msg("event_pop3", dup82); + + var all2 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg3 = msg("event_webmail", all2); + + var msg4 = msg("event_system", dup82); + + var msg5 = msg("event_imap", dup82); + + var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); + + var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); + + var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); + + var select2 = linear_select([ + part3, + part4, + ]); + + var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); + + var all3 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part2, + select2, + part5, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg6 = msg("event_smtp:01", all3); + + var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); + + var all4 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg7 = msg("event_smtp:02", all4); + + var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); + + var all5 = all_match({ + processors: [ + dup18, + dup65, + part7, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg8 = msg("event_smtp:03", all5); + + var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); + + var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); + + var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); + + var select3 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); + + var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); + + var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); + + var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); + + var select4 = linear_select([ + part12, + part13, + part14, + ]); + + var all6 = all_match({ + processors: [ + part8, + select3, + part11, + select4, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg9 = msg("event_smtp:04", all6); + + var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); + + var all7 = all_match({ + processors: [ + dup18, + dup67, + part15, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg10 = msg("event_smtp:05", all7); + + var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); + + var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); + + var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); + + var select5 = linear_select([ + part17, + part18, + ]); + + var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); + + var all8 = all_match({ + processors: [ + dup18, + dup65, + part16, + select5, + part19, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg11 = msg("event_smtp:06", all8); + + var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); + + var all9 = all_match({ + processors: [ + dup18, + dup67, + part20, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg12 = msg("event_smtp:07", all9); + + var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); + + var all10 = all_match({ + processors: [ + dup18, + dup67, + part21, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg13 = msg("event_smtp:08", all10); + + var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); + + var all11 = all_match({ + processors: [ + dup18, + dup65, + part22, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg14 = msg("event_smtp:09", all11); + + var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); + + var all12 = all_match({ + processors: [ + dup18, + dup65, + part23, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + setc("dclass_counter1_string","count"), + ]), + }); + + var msg15 = msg("event_smtp:10", all12); + + var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); + + var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); + + var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); + + var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); + + var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); + + var select6 = linear_select([ + part25, + part26, + part27, + part28, + ]); + + var all13 = all_match({ + processors: [ + dup18, + dup65, + part24, + select6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg16 = msg("event_smtp:11", all13); + + var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup63, + part29, + dup68, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg17 = msg("event_smtp", all14); + + var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { + "action": "action", + "log_part": "id1", + "msg": "info", + "session_id": "sessionid", + "status": "event_state", + "ui": "network_service", + "user": "username", + }, processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ])); + + var msg18 = msg("event_smtp:12", part30); + + var select7 = linear_select([ + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + ]); + + var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); + + var all15 = all_match({ + processors: [ + part31, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg19 = msg("event_update", all15); + + var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); + + var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); + + var select8 = linear_select([ + part32, + part33, + ]); + + var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); + + var all16 = all_match({ + processors: [ + dup2, + select8, + part34, + dup64, + ], + on_success: processor_chain([ + setc("eventcategory","1701000000"), + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + + var msg20 = msg("event_config", all16); + + var select9 = linear_select([ + dup31, + dup32, + ]); + + var all17 = all_match({ + processors: [ + dup26, + dup69, + dup70, + select9, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg21 = msg("virus", all17); + + var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); + + var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); + + var select10 = linear_select([ + part35, + part36, + ]); + + var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); + + var all18 = all_match({ + processors: [ + dup26, + dup69, + select10, + part37, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup15, + ]), + }); + + var msg22 = msg("virus_infected", all18); + + var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); + + var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); + + var select11 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); + + var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); + + var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); + + var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); + + var select12 = linear_select([ + part40, + part41, + part42, + part43, + dup31, + dup32, + ]); + + var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); + + var select13 = linear_select([ + part44, + dup5, + dup6, + ]); + + var all19 = all_match({ + processors: [ + select11, + dup70, + select12, + dup68, + select13, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg23 = msg("virus_file-signature", all19); + + var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); + + var all20 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + part45, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg24 = msg("statistics", all20); + + var all21 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + dup61, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg25 = msg("statistics:01", all21); + + var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); + + var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); + + var select14 = linear_select([ + part46, + part47, + ]); + + var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); + + var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); + + var select15 = linear_select([ + part48, + part49, + ]); + + var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); + + var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); + + var select16 = linear_select([ + part50, + part51, + ]); + + var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); + + var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); + + var select17 = linear_select([ + part52, + part53, + ]); + + var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); + + var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); + + var select18 = linear_select([ + part54, + part55, + ]); + + var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); + + var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); + + var select19 = linear_select([ + part56, + part57, + ]); + + var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); + + var all22 = all_match({ + processors: [ + dup35, + dup71, + dup69, + dup76, + select14, + select15, + select16, + select17, + dup74, + dup61, + select18, + select19, + part58, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg26 = msg("statistics:02", all22); + + var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); + + var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); + + var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); + + var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); + + var select20 = linear_select([ + part60, + part61, + part62, + ]); + + var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); + + var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); + + var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); + + var select21 = linear_select([ + part64, + part65, + ]); + + var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); + + var all23 = all_match({ + processors: [ + part59, + select20, + part63, + select21, + part66, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg27 = msg("statistics:03", all23); + + var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); + + var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); + + var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); + + var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); + + var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); + + var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); + + var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); + + var select23 = linear_select([ + part69, + part70, + part71, + part72, + part73, + part74, + ]); + + var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); + + var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); + + var select24 = linear_select([ + part75, + part76, + ]); + + var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); + + var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); + + var select25 = linear_select([ + part77, + part78, + ]); + + var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); + + var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); + + var select26 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); + + var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); + + var select27 = linear_select([ + part81, + part82, + ]); + + var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); + + var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); + + var select28 = linear_select([ + part83, + part84, + ]); + + var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); + + var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); + + var select29 = linear_select([ + part85, + part86, + ]); + + var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); + + var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); + + var select30 = linear_select([ + part87, + part88, + ]); + + var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); + + var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); + + var select31 = linear_select([ + part89, + part90, + ]); + + var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); + + var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); + + var select32 = linear_select([ + part91, + part92, + ]); + + var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); + + var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); + + var select33 = linear_select([ + part93, + part94, + ]); + + var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); + + var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); + + var select34 = linear_select([ + part95, + part96, + ]); + + var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); + + var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); + + var select35 = linear_select([ + part97, + part98, + ]); + + var all24 = all_match({ + processors: [ + dup35, + select22, + select23, + select24, + select25, + select26, + select27, + select28, + select29, + select30, + select31, + select32, + select33, + dup78, + dup79, + select34, + select35, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg28 = msg("statistics:04", all24); + + var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { + "classifier": "filter", + "client_ip": "saddr", + "client_name": "fqdn", + "direction": "direction", + "disposition": "disposition", + "domain": "domain", + "dst_ip": "daddr", + "from": "from", + "hfrom": "fld3", + "mailer": "agent", + "message_length": "fld6", + "polid": "fld5", + "resolved": "context", + "session_id": "sessionid", + "src_type": "fld7", + "subject": "subject", + "to": "to", + "virus": "virusname", + }, processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg29 = msg("statistics:05", part99); + + var select36 = linear_select([ + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + ]); + + var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); + + var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); + + var select37 = linear_select([ + part100, + part101, + ]); + + var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); + + var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); + + var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); + + var select38 = linear_select([ + part103, + part104, + ]); + + var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); + + var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); + + var select39 = linear_select([ + part105, + part106, + ]); + + var all25 = all_match({ + processors: [ + dup35, + select37, + dup74, + part102, + dup69, + select38, + select39, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg30 = msg("spam", all25); + + var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg31 = msg("spam:04", part107); + + var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); + + var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); + + var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); + + var select40 = linear_select([ + part109, + part110, + ]); + + var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); + + var all26 = all_match({ + processors: [ + part108, + select40, + part111, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg32 = msg("spam:03", all26); + + var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ])); + + var msg33 = msg("spam:02", part112); + + var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); + + var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); + + var select41 = linear_select([ + part113, + part114, + ]); + + var all27 = all_match({ + processors: [ + dup35, + dup71, + dup69, + select41, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), + }); + + var msg34 = msg("spam:01", all27); + + var select42 = linear_select([ + msg30, + msg31, + msg32, + msg33, + msg34, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_admin": msg1, + "event_config": msg20, + "event_imap": msg5, + "event_pop3": msg2, + "event_smtp": select7, + "event_system": msg4, + "event_update": msg19, + "event_webmail": msg3, + "spam": select42, + "statistics": select36, + "virus": msg21, + "virus_file-signature": msg23, + "virus_infected": msg22, + }), + ]); + + var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); + + var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); + + var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); + + var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); + + var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); + + var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); + + var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); + + var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); + + var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); + + var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); + + var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); + + var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); + + var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); + + var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); + + var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); + + var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); + + var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); + + var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); + + var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); + + var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); + + var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); + + var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); + + var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); + + var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); + + var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); + + var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); + + var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); + + var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); + + var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + + var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + + var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + + var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + + var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + + var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + + var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + + var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + + var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + + var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + + var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + + var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + + var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + + var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + + var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + + var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + + var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + + var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + + var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + + var select43 = linear_select([ + dup3, + dup4, + ]); + + var select44 = linear_select([ + dup5, + dup6, + ]); + + var select45 = linear_select([ + dup19, + dup20, + ]); + + var select46 = linear_select([ + dup22, + dup23, + ]); + + var select47 = linear_select([ + dup3, + dup20, + ]); + + var select48 = linear_select([ + dup24, + dup25, + ]); + + var select49 = linear_select([ + dup27, + dup28, + ]); + + var select50 = linear_select([ + dup29, + dup30, + ]); + + var select51 = linear_select([ + dup36, + dup37, + ]); + + var select52 = linear_select([ + dup38, + dup39, + ]); + + var select53 = linear_select([ + dup40, + dup41, + ]); + + var select54 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var select55 = linear_select([ + dup45, + dup46, + ]); + + var select56 = linear_select([ + dup47, + dup48, + ]); + + var select57 = linear_select([ + dup49, + dup50, + ]); + + var select58 = linear_select([ + dup52, + dup53, + ]); + + var select59 = linear_select([ + dup54, + dup55, + ]); + + var select60 = linear_select([ + dup56, + dup57, + ]); + + var select61 = linear_select([ + dup58, + dup59, + ]); + + var all28 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.1/data_stream/fortimail/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..56700b8b63 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for Fortinet FortiMail + +processors: + - set: + field: ecs.version + value: '8.2.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/fields/agent.yml b/packages/fortinet/1.6.1/data_stream/fortimail/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/fields/base-fields.yml b/packages/fortinet/1.6.1/data_stream/fortimail/fields/base-fields.yml new file mode 100755 index 0000000000..50a37950c4 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: fortinet +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fortinet.fortimail +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/fields/ecs.yml b/packages/fortinet/1.6.1/data_stream/fortimail/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/fields/fields.yml b/packages/fortinet/1.6.1/data_stream/fortimail/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/manifest.yml b/packages/fortinet/1.6.1/data_stream/fortimail/manifest.yml new file mode 100755 index 0000000000..4acfba2e32 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/manifest.yml @@ -0,0 +1,210 @@ +title: Fortinet FortiMail logs +release: experimental +type: logs +streams: + - input: udp + title: Fortinet FortiMail logs + description: Collect Fortinet FortiMail logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimail + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9529 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Fortinet FortiMail logs + description: Collect Fortinet FortiMail logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimail + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9529 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Fortinet FortiMail logs + description: Collect Fortinet FortiMail logs from file + template_path: log.yml.hbs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/fortinet-fortimail.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimail + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/fortinet/1.6.1/data_stream/fortimail/sample_event.json b/packages/fortinet/1.6.1/data_stream/fortimail/sample_event.json new file mode 100755 index 0000000000..c9970b456a --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimail/sample_event.json @@ -0,0 +1,70 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet.fortimail", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "event", + "agent_id_status": "verified", + "code": "nes", + "dataset": "fortinet.fortimail", + "ingested": "2022-01-25T12:29:32Z", + "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "high", + "source": { + "address": "172.30.0.4:44540" + } + }, + "observer": { + "product": "FortiMail", + "type": "Firewall", + "vendor": "Fortinet" + }, + "rsa": { + "internal": { + "event_desc": "boNemoe", + "messageid": "event_update" + }, + "misc": { + "category": "update", + "event_type": "event", + "hardware_id": "pexe", + "msgIdPart1": "event", + "msgIdPart2": "update", + "reference_id": "nes", + "reference_id1": "eab", + "severity": "high" + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "tags": [ + "preserve_original_event", + "fortinet-fortimail", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/log.yml.hbs b/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..eadb30c3f8 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/log.yml.hbs @@ -0,0 +1,3100 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiManager" + type: "Configuration" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("hfld2"), + constant("_fortinetmgr"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup2, + ])); + + var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ + setc("header_id","0005"), + dup2, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + ]); + + var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg1 = msg("fortinetmgr:01", part1); + + var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg2 = msg("fortinetmgr", part2); + + var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); + + var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); + + var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); + + var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); + + var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); + + var select3 = linear_select([ + part7, + part8, + ]); + + var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); + + var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); + + var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); + + var select4 = linear_select([ + part10, + part11, + ]); + + var all1 = all_match({ + processors: [ + part3, + select2, + part6, + select3, + part9, + select4, + ], + on_success: processor_chain([ + dup11, + dup4, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("fld5"), + }), + dup22, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg3 = msg("fortinetmgr:04", all1); + + var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg4 = msg("fortinetmgr:02", part12); + + var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("result"), + }), + dup22, + ])); + + var msg5 = msg("fortinetmgr:03", part13); + + var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); + + var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); + + var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + + var select5 = linear_select([ + part15, + part16, + ]); + + var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); + + var all2 = all_match({ + processors: [ + part14, + select5, + part17, + ], + on_success: processor_chain([ + dup13, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg6 = msg("fortinetmgr:05", all2); + + var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { + "action": "action", + "adom": "domain", + "desc": "event_description", + "msg": "info", + "session_id": "sessionid", + "user": "username", + "userfrom": "fld1", + }, processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + setf("event_type","hfld2"), + dup9, + dup10, + ])); + + var msg7 = msg("event_fortinetmgr_tvm", part18); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + ]); + + var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { + "action": "action", + "adminprof": "fld13", + "cat": "fcatnum", + "catdesc": "filter", + "cipher_suite": "fld24", + "content_switch_name": "fld15", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "dev_id": "fld100", + "device_id": "hardware_id", + "devid": "hardware_id", + "devname": "event_source", + "devtype": "fld7", + "direction": "direction", + "dst": "daddr", + "dst_port": "dport", + "dstintf": "dinterface", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtype": "vendor_event_cat", + "false_positive_mitigation": "fld17", + "ftp_cmd": "fld23", + "ftp_mode": "fld22", + "history_threat_weight": "fld21", + "hostname": "hostname", + "http_agent": "agent", + "http_host": "web_ref_domain", + "http_method": "web_method", + "http_refer": "web_referer", + "http_session_id": "sessionid", + "http_url": "web_query", + "http_version": "fld19", + "level": "severity", + "log_id": "id", + "logid": "id", + "main_type": "fld37", + "mastersrcmac": "fld8", + "method": "fld12", + "monitor_status": "fld18", + "msg": "event_description", + "msg_id": "fld25", + "osname": "os", + "osversion": "version", + "policy": "policyname", + "policyid": "policy_id", + "poluuid": "fld5", + "pri": "severity", + "profile": "rulename", + "proto": "fld6", + "rcvdbyte": "rbytes", + "reqtype": "fld11", + "sentbyte": "sbytes", + "server_pool_name": "fld16", + "service": "network_service", + "sessionid": "sessionid", + "severity_level": "fld101", + "signature_id": "sigid", + "signature_subclass": "fld14", + "src": "saddr", + "src_port": "sport", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub_type": "category", + "subtype": "category", + "threat_level": "threat_val", + "threat_weight": "fld20", + "timezone": "timezone", + "trandisp": "context", + "trigger_policy": "fld39", + "type": "event_type", + "url": "url", + "user": "username", + "user_name": "username", + "userfrom": "fld30", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + dup5, + dup14, + dup23, + ])); + + var msg8 = msg("generic_fortinetmgr", part19); + + var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { + "action": "action", + "app": "obj_name", + "appcat": "fld33", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "date": "fld1", + "dstcountry": "location_dst", + "dstintf": "dinterface", + "dstintfrole": "fld31", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtime": "event_time_string", + "level": "severity", + "logid": "id", + "logtime": "fld35", + "policyid": "policy_id", + "policytype": "fld34", + "poluuid": "fld5", + "proto": "fld6", + "rcvdbyte": "rbytes", + "sentbyte": "sbytes", + "sentpkt": "fld15", + "service": "network_service", + "sessionid": "sessionid", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcintfrole": "fld30", + "srcip": "saddr", + "srcport": "sport", + "subtype": "category", + "time": "fld2", + "trandisp": "context", + "tranip": "dtransaddr", + "tranport": "dtransport", + "type": "event_type", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup6, + setf("hardware_id","hfld2"), + dup14, + dup23, + ])); + + var msg9 = msg("generic_fortinetmgr_1", part20); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_fortinetmgr": select6, + "generic_fortinetmgr": msg8, + "generic_fortinetmgr_1": msg9, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..3f83a27af8 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/tcp.yml.hbs @@ -0,0 +1,3097 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiManager" + type: "Configuration" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("hfld2"), + constant("_fortinetmgr"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup2, + ])); + + var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ + setc("header_id","0005"), + dup2, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + ]); + + var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg1 = msg("fortinetmgr:01", part1); + + var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg2 = msg("fortinetmgr", part2); + + var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); + + var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); + + var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); + + var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); + + var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); + + var select3 = linear_select([ + part7, + part8, + ]); + + var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); + + var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); + + var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); + + var select4 = linear_select([ + part10, + part11, + ]); + + var all1 = all_match({ + processors: [ + part3, + select2, + part6, + select3, + part9, + select4, + ], + on_success: processor_chain([ + dup11, + dup4, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("fld5"), + }), + dup22, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg3 = msg("fortinetmgr:04", all1); + + var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg4 = msg("fortinetmgr:02", part12); + + var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("result"), + }), + dup22, + ])); + + var msg5 = msg("fortinetmgr:03", part13); + + var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); + + var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); + + var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + + var select5 = linear_select([ + part15, + part16, + ]); + + var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); + + var all2 = all_match({ + processors: [ + part14, + select5, + part17, + ], + on_success: processor_chain([ + dup13, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg6 = msg("fortinetmgr:05", all2); + + var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { + "action": "action", + "adom": "domain", + "desc": "event_description", + "msg": "info", + "session_id": "sessionid", + "user": "username", + "userfrom": "fld1", + }, processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + setf("event_type","hfld2"), + dup9, + dup10, + ])); + + var msg7 = msg("event_fortinetmgr_tvm", part18); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + ]); + + var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { + "action": "action", + "adminprof": "fld13", + "cat": "fcatnum", + "catdesc": "filter", + "cipher_suite": "fld24", + "content_switch_name": "fld15", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "dev_id": "fld100", + "device_id": "hardware_id", + "devid": "hardware_id", + "devname": "event_source", + "devtype": "fld7", + "direction": "direction", + "dst": "daddr", + "dst_port": "dport", + "dstintf": "dinterface", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtype": "vendor_event_cat", + "false_positive_mitigation": "fld17", + "ftp_cmd": "fld23", + "ftp_mode": "fld22", + "history_threat_weight": "fld21", + "hostname": "hostname", + "http_agent": "agent", + "http_host": "web_ref_domain", + "http_method": "web_method", + "http_refer": "web_referer", + "http_session_id": "sessionid", + "http_url": "web_query", + "http_version": "fld19", + "level": "severity", + "log_id": "id", + "logid": "id", + "main_type": "fld37", + "mastersrcmac": "fld8", + "method": "fld12", + "monitor_status": "fld18", + "msg": "event_description", + "msg_id": "fld25", + "osname": "os", + "osversion": "version", + "policy": "policyname", + "policyid": "policy_id", + "poluuid": "fld5", + "pri": "severity", + "profile": "rulename", + "proto": "fld6", + "rcvdbyte": "rbytes", + "reqtype": "fld11", + "sentbyte": "sbytes", + "server_pool_name": "fld16", + "service": "network_service", + "sessionid": "sessionid", + "severity_level": "fld101", + "signature_id": "sigid", + "signature_subclass": "fld14", + "src": "saddr", + "src_port": "sport", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub_type": "category", + "subtype": "category", + "threat_level": "threat_val", + "threat_weight": "fld20", + "timezone": "timezone", + "trandisp": "context", + "trigger_policy": "fld39", + "type": "event_type", + "url": "url", + "user": "username", + "user_name": "username", + "userfrom": "fld30", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + dup5, + dup14, + dup23, + ])); + + var msg8 = msg("generic_fortinetmgr", part19); + + var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { + "action": "action", + "app": "obj_name", + "appcat": "fld33", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "date": "fld1", + "dstcountry": "location_dst", + "dstintf": "dinterface", + "dstintfrole": "fld31", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtime": "event_time_string", + "level": "severity", + "logid": "id", + "logtime": "fld35", + "policyid": "policy_id", + "policytype": "fld34", + "poluuid": "fld5", + "proto": "fld6", + "rcvdbyte": "rbytes", + "sentbyte": "sbytes", + "sentpkt": "fld15", + "service": "network_service", + "sessionid": "sessionid", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcintfrole": "fld30", + "srcip": "saddr", + "srcport": "sport", + "subtype": "category", + "time": "fld2", + "trandisp": "context", + "tranip": "dtransaddr", + "tranport": "dtransport", + "type": "event_type", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup6, + setf("hardware_id","hfld2"), + dup14, + dup23, + ])); + + var msg9 = msg("generic_fortinetmgr_1", part20); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_fortinetmgr": select6, + "generic_fortinetmgr": msg8, + "generic_fortinetmgr_1": msg9, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..a27a4bacc3 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/agent/stream/udp.yml.hbs @@ -0,0 +1,3097 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiManager" + type: "Configuration" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("hfld2"), + constant("_fortinetmgr"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup2, + ])); + + var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ + setc("header_id","0005"), + dup2, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + ]); + + var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg1 = msg("fortinetmgr:01", part1); + + var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg2 = msg("fortinetmgr", part2); + + var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); + + var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); + + var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); + + var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); + + var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); + + var select3 = linear_select([ + part7, + part8, + ]); + + var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); + + var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); + + var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); + + var select4 = linear_select([ + part10, + part11, + ]); + + var all1 = all_match({ + processors: [ + part3, + select2, + part6, + select3, + part9, + select4, + ], + on_success: processor_chain([ + dup11, + dup4, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("fld5"), + }), + dup22, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg3 = msg("fortinetmgr:04", all1); + + var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg4 = msg("fortinetmgr:02", part12); + + var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("result"), + }), + dup22, + ])); + + var msg5 = msg("fortinetmgr:03", part13); + + var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); + + var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); + + var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + + var select5 = linear_select([ + part15, + part16, + ]); + + var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); + + var all2 = all_match({ + processors: [ + part14, + select5, + part17, + ], + on_success: processor_chain([ + dup13, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg6 = msg("fortinetmgr:05", all2); + + var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { + "action": "action", + "adom": "domain", + "desc": "event_description", + "msg": "info", + "session_id": "sessionid", + "user": "username", + "userfrom": "fld1", + }, processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + setf("event_type","hfld2"), + dup9, + dup10, + ])); + + var msg7 = msg("event_fortinetmgr_tvm", part18); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + ]); + + var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { + "action": "action", + "adminprof": "fld13", + "cat": "fcatnum", + "catdesc": "filter", + "cipher_suite": "fld24", + "content_switch_name": "fld15", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "dev_id": "fld100", + "device_id": "hardware_id", + "devid": "hardware_id", + "devname": "event_source", + "devtype": "fld7", + "direction": "direction", + "dst": "daddr", + "dst_port": "dport", + "dstintf": "dinterface", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtype": "vendor_event_cat", + "false_positive_mitigation": "fld17", + "ftp_cmd": "fld23", + "ftp_mode": "fld22", + "history_threat_weight": "fld21", + "hostname": "hostname", + "http_agent": "agent", + "http_host": "web_ref_domain", + "http_method": "web_method", + "http_refer": "web_referer", + "http_session_id": "sessionid", + "http_url": "web_query", + "http_version": "fld19", + "level": "severity", + "log_id": "id", + "logid": "id", + "main_type": "fld37", + "mastersrcmac": "fld8", + "method": "fld12", + "monitor_status": "fld18", + "msg": "event_description", + "msg_id": "fld25", + "osname": "os", + "osversion": "version", + "policy": "policyname", + "policyid": "policy_id", + "poluuid": "fld5", + "pri": "severity", + "profile": "rulename", + "proto": "fld6", + "rcvdbyte": "rbytes", + "reqtype": "fld11", + "sentbyte": "sbytes", + "server_pool_name": "fld16", + "service": "network_service", + "sessionid": "sessionid", + "severity_level": "fld101", + "signature_id": "sigid", + "signature_subclass": "fld14", + "src": "saddr", + "src_port": "sport", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub_type": "category", + "subtype": "category", + "threat_level": "threat_val", + "threat_weight": "fld20", + "timezone": "timezone", + "trandisp": "context", + "trigger_policy": "fld39", + "type": "event_type", + "url": "url", + "user": "username", + "user_name": "username", + "userfrom": "fld30", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + dup5, + dup14, + dup23, + ])); + + var msg8 = msg("generic_fortinetmgr", part19); + + var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { + "action": "action", + "app": "obj_name", + "appcat": "fld33", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "date": "fld1", + "dstcountry": "location_dst", + "dstintf": "dinterface", + "dstintfrole": "fld31", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtime": "event_time_string", + "level": "severity", + "logid": "id", + "logtime": "fld35", + "policyid": "policy_id", + "policytype": "fld34", + "poluuid": "fld5", + "proto": "fld6", + "rcvdbyte": "rbytes", + "sentbyte": "sbytes", + "sentpkt": "fld15", + "service": "network_service", + "sessionid": "sessionid", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcintfrole": "fld30", + "srcip": "saddr", + "srcport": "sport", + "subtype": "category", + "time": "fld2", + "trandisp": "context", + "tranip": "dtransaddr", + "tranport": "dtransport", + "type": "event_type", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup6, + setf("hardware_id","hfld2"), + dup14, + dup23, + ])); + + var msg9 = msg("generic_fortinetmgr_1", part20); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_fortinetmgr": select6, + "generic_fortinetmgr": msg8, + "generic_fortinetmgr_1": msg9, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.1/data_stream/fortimanager/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..dd4990b756 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,108 @@ +--- +description: Pipeline for Fortinet Manager/Analyzer + +processors: + - set: + field: ecs.version + value: '8.2.0' + - gsub: + field: destination.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - gsub: + field: source.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # URL + - uri_parts: + field: url.original + target_field: _temp_.url + ignore_failure: true + if: ctx?.url?.original != null + - script: + lang: painless + description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings + if: ctx?._temp_?.url != null + source: | + for (entry in ctx._temp_.url.entrySet()) { + if (entry != null && entry.getValue() != null) { + if(ctx.url[entry.getKey()] == null) { + ctx.url[entry.getKey()] = entry.getValue(); + } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { + ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; + ctx.url[entry.getKey()].add(entry.getValue()); + } + } + } + - remove: + field: _temp_ + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/fields/agent.yml b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/fields/base-fields.yml b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/base-fields.yml new file mode 100755 index 0000000000..bbad94843b --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: fortinet +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fortinet.fortimanager +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/fields/ecs.yml b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/ecs.yml new file mode 100755 index 0000000000..2257c57972 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/ecs.yml @@ -0,0 +1,558 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/fields/fields.yml b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/manifest.yml b/packages/fortinet/1.6.1/data_stream/fortimanager/manifest.yml new file mode 100755 index 0000000000..c6aacc111a --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/manifest.yml @@ -0,0 +1,210 @@ +title: Fortinet Manager/Analyzer logs +release: experimental +type: logs +streams: + - input: udp + title: Fortinet Manager/Analyzer logs + description: Collect Fortinet Manager/Analyzer logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimanager + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9530 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Fortinet Manager/Analyzer logs + description: Collect Fortinet Manager/Analyzer logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimanager + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9530 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Fortinet Manager/Analyzer logs + description: Collect Fortinet Manager/Analyzer logs from file + template_path: log.yml.hbs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/fortinet-fortimanager.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimanager + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/fortinet/1.6.1/data_stream/fortimanager/sample_event.json b/packages/fortinet/1.6.1/data_stream/fortimanager/sample_event.json new file mode 100755 index 0000000000..3eac8bb75e --- /dev/null +++ b/packages/fortinet/1.6.1/data_stream/fortimanager/sample_event.json @@ -0,0 +1,131 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet.fortimanager", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 449, + "geo": { + "country_name": "sequa" + }, + "ip": [ + "10.44.173.44" + ], + "nat": { + "ip": "10.189.58.145", + "port": 5273 + }, + "port": 6125 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "allow", + "agent_id_status": "verified", + "code": "sse", + "dataset": "fortinet.fortimanager", + "ingested": "2022-01-25T12:33:50Z", + "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "very-high", + "source": { + "address": "172.30.0.4:60997" + } + }, + "network": { + "bytes": 8329 + }, + "observer": { + "egress": { + "interface": { + "name": "enp0s3068" + } + }, + "ingress": { + "interface": { + "name": "eth5722" + } + }, + "product": "FortiManager", + "type": "Configuration", + "vendor": "Fortinet" + }, + "related": { + "hosts": [ + "modtempo" + ], + "ip": [ + "10.189.58.145", + "10.20.234.169", + "10.44.173.44" + ] + }, + "rsa": { + "internal": { + "messageid": "generic_fortinetmgr_1" + }, + "misc": { + "action": [ + "allow" + ], + "category": "der", + "context": "abo", + "event_source": "modtempo", + "event_type": "exercita", + "hardware_id": "olab", + "log_session_id": "psa", + "policy_id": "ntium", + "reference_id": "sse", + "severity": "very-high", + "vsys": "nto" + }, + "network": { + "dinterface": "enp0s3068", + "network_service": "lupt", + "sinterface": "eth5722" + }, + "time": { + "duration_time": 14.119, + "event_time": "2016-01-29T06:09:59.000Z", + "event_time_str": "odoco" + }, + "web": { + "reputation_num": 13.8 + } + }, + "source": { + "bytes": 7880, + "geo": { + "country_name": "dolore" + }, + "ip": [ + "10.20.234.169" + ], + "port": 1001 + }, + "tags": [ + "preserve_original_event", + "fortinet-fortimanager", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/fortinet/1.6.1/docs/README.md b/packages/fortinet/1.6.1/docs/README.md new file mode 100755 index 0000000000..e5f17a143d --- /dev/null +++ b/packages/fortinet/1.6.1/docs/README.md @@ -0,0 +1,3633 @@ +# Fortinet Integration + +This integration is for Fortinet FortiOS and FortiClient Endpoint logs sent in the syslog format. It includes the following datasets for receiving logs: + +- `firewall` dataset: consists of Fortinet FortiGate logs. +- `clientendpoint` dataset: supports Fortinet FortiClient Endpoint Security logs. +- `fortimail` dataset: supports Fortinet FortiMail logs. +- `fortimanager` dataset: supports Fortinet Manager/Analyzer logs. + +## Compatibility + +This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. + +## Logs + +### Firewall + +Contains log entries from Fortinet FortiGate applicances. + +An example event for `firewall` looks as following: + +```json +{ + "@timestamp": "2019-05-15T18:03:36.000Z", + "agent": { + "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", + "hostname": "docker-fleet-agent", + "id": "2164018d-05cd-45b4-979d-4032bdd775f6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "data_stream": { + "dataset": "fortinet.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 41690, + "organization": { + "name": "Dailymotion S.A." + } + }, + "geo": { + "continent_name": "Europe", + "country_iso_code": "FR", + "country_name": "France", + "location": { + "lat": 48.8582, + "lon": 2.3387 + } + }, + "ip": "195.8.215.136", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "app-ctrl-all", + "category": [ + "network" + ], + "code": "1059028704", + "dataset": "fortinet.firewall", + "ingested": "2021-06-03T12:38:44.458586716Z", + "kind": "event", + "module": "fortinet", + "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", + "outcome": "success", + "start": "2019-05-16T01:03:35.000Z", + "type": [ + "allowed" + ] + }, + "fortinet": { + "firewall": { + "action": "pass", + "appid": "40568", + "apprisk": "medium", + "dstintfrole": "wan", + "incidentserialno": "1962906680", + "sessionid": "4414", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "type": "utm", + "vd": "root" + } + }, + "input": { + "type": "udp" + }, + "log": { + "level": "information", + "source": { + "address": "192.168.240.4:54617" + } + }, + "message": "Web.Client: HTTPS.BROWSER,", + "network": { + "application": "HTTPS.BROWSER", + "direction": "outbound", + "iana_number": "6", + "transport": "tcp", + "protocol": "https" + }, + "observer": { + "egress": { + "interface": { + "name": "port9" + } + }, + "ingress": { + "interface": { + "name": "port10" + } + }, + "product": "Fortigate", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "10.1.100.22", + "195.8.215.136" + ] + }, + "rule": { + "category": "Web-Client", + "id": "1", + "ruleset": "block-social.media" + }, + "source": { + "ip": "10.1.100.22", + "port": 50798 + }, + "tags": [ + "fortinet-firewall", + "forwarded", + "preserve_original_event" + ], + "tls": { + "server": { + "issuer": "DigiCert SHA2 High Assurance Server CA", + "x509": { + "issuer": { + "common_name": "DigiCert SHA2 High Assurance Server CA" + }, + "subject": { + "common_name": "*.dailymotion.com" + } + } + } + }, + "url": { + "domain": "www.dailymotion.com", + "path": "/" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.email | User email address. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.cc.address | The email address of CC recipient | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.message | Log message optimized for viewing in a log viewer. | text | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| fortinet.file.hash.crc32 | CRC32 Hash of file | keyword | +| fortinet.firewall.acct_stat | Accounting state (RADIUS) | keyword | +| fortinet.firewall.acktime | Alarm Acknowledge Time | keyword | +| fortinet.firewall.act | Action | keyword | +| fortinet.firewall.action | Status of the session | keyword | +| fortinet.firewall.activity | HA activity message | keyword | +| fortinet.firewall.addr | IP Address | ip | +| fortinet.firewall.addr_type | Address Type | keyword | +| fortinet.firewall.addrgrp | Address Group | keyword | +| fortinet.firewall.adgroup | AD Group Name | keyword | +| fortinet.firewall.admin | Admin User | keyword | +| fortinet.firewall.age | Time in seconds - time passed since last seen | integer | +| fortinet.firewall.agent | User agent - eg. agent="Mozilla/5.0" | keyword | +| fortinet.firewall.alarmid | Alarm ID | integer | +| fortinet.firewall.alert | Alert | keyword | +| fortinet.firewall.analyticscksum | The checksum of the file submitted for analytics | keyword | +| fortinet.firewall.analyticssubmit | The flag for analytics submission | keyword | +| fortinet.firewall.ap | Access Point | keyword | +| fortinet.firewall.app-type | Address Type | keyword | +| fortinet.firewall.appact | The security action from app control | keyword | +| fortinet.firewall.appid | Application ID | integer | +| fortinet.firewall.applist | Application Control profile | keyword | +| fortinet.firewall.apprisk | Application Risk Level | keyword | +| fortinet.firewall.apscan | The name of the AP, which scanned and detected the rogue AP | keyword | +| fortinet.firewall.apsn | Access Point | keyword | +| fortinet.firewall.apstatus | Access Point status | keyword | +| fortinet.firewall.aptype | Access Point type | keyword | +| fortinet.firewall.assigned | Assigned IP Address | ip | +| fortinet.firewall.assignip | Assigned IP Address | ip | +| fortinet.firewall.attachment | The flag for email attachement | keyword | +| fortinet.firewall.attack | Attack Name | keyword | +| fortinet.firewall.attackcontext | The trigger patterns and the packetdata with base64 encoding | keyword | +| fortinet.firewall.attackcontextid | Attack context id / total | keyword | +| fortinet.firewall.attackid | Attack ID | integer | +| fortinet.firewall.auditid | Audit ID | long | +| fortinet.firewall.auditscore | The Audit Score | keyword | +| fortinet.firewall.audittime | The time of the audit | long | +| fortinet.firewall.authgrp | Authorization Group | keyword | +| fortinet.firewall.authid | Authentication ID | keyword | +| fortinet.firewall.authproto | The protocol that initiated the authentication | keyword | +| fortinet.firewall.authserver | Authentication server | keyword | +| fortinet.firewall.bandwidth | Bandwidth | keyword | +| fortinet.firewall.banned_rule | NAC quarantine Banned Rule Name | keyword | +| fortinet.firewall.banned_src | NAC quarantine Banned Source IP | keyword | +| fortinet.firewall.banword | Banned word | keyword | +| fortinet.firewall.botnetdomain | Botnet Domain Name | keyword | +| fortinet.firewall.botnetip | Botnet IP Address | ip | +| fortinet.firewall.bssid | Service Set ID | keyword | +| fortinet.firewall.call_id | Caller ID | keyword | +| fortinet.firewall.carrier_ep | The FortiOS Carrier end-point identification | keyword | +| fortinet.firewall.cat | DNS category ID | integer | +| fortinet.firewall.category | Authentication category | keyword | +| fortinet.firewall.cc | CC Email Address | keyword | +| fortinet.firewall.cdrcontent | Cdrcontent | keyword | +| fortinet.firewall.centralnatid | Central NAT ID | integer | +| fortinet.firewall.cert | Certificate | keyword | +| fortinet.firewall.cert-type | Certificate type | keyword | +| fortinet.firewall.certhash | Certificate hash | keyword | +| fortinet.firewall.cfgattr | Configuration attribute | keyword | +| fortinet.firewall.cfgobj | Configuration object | keyword | +| fortinet.firewall.cfgpath | Configuration path | keyword | +| fortinet.firewall.cfgtid | Configuration transaction ID | keyword | +| fortinet.firewall.cfgtxpower | Configuration TX power | integer | +| fortinet.firewall.channel | Wireless Channel | integer | +| fortinet.firewall.channeltype | SSH channel type | keyword | +| fortinet.firewall.chassisid | Chassis ID | integer | +| fortinet.firewall.checksum | The checksum of the scanned file | keyword | +| fortinet.firewall.chgheaders | HTTP Headers | keyword | +| fortinet.firewall.cldobjid | Connector object ID | keyword | +| fortinet.firewall.client_addr | Wifi client address | keyword | +| fortinet.firewall.cloudaction | Cloud Action | keyword | +| fortinet.firewall.clouduser | Cloud User | keyword | +| fortinet.firewall.column | VOIP Column | integer | +| fortinet.firewall.command | CLI Command | keyword | +| fortinet.firewall.community | SNMP Community | keyword | +| fortinet.firewall.configcountry | Configuration country | keyword | +| fortinet.firewall.connection_type | FortiClient Connection Type | keyword | +| fortinet.firewall.conserve | Flag for conserve mode | keyword | +| fortinet.firewall.constraint | WAF http protocol restrictions | keyword | +| fortinet.firewall.contentdisarmed | Email scanned content | keyword | +| fortinet.firewall.contenttype | Content Type from HTTP header | keyword | +| fortinet.firewall.cookies | VPN Cookie | keyword | +| fortinet.firewall.count | Counts of action type | integer | +| fortinet.firewall.countapp | Number of App Ctrl logs associated with the session | integer | +| fortinet.firewall.countav | Number of AV logs associated with the session | integer | +| fortinet.firewall.countcifs | Number of CIFS logs associated with the session | integer | +| fortinet.firewall.countdlp | Number of DLP logs associated with the session | integer | +| fortinet.firewall.countdns | Number of DNS logs associated with the session | integer | +| fortinet.firewall.countemail | Number of email logs associated with the session | integer | +| fortinet.firewall.countff | Number of ff logs associated with the session | integer | +| fortinet.firewall.countips | Number of IPS logs associated with the session | integer | +| fortinet.firewall.countssh | Number of SSH logs associated with the session | integer | +| fortinet.firewall.countssl | Number of SSL logs associated with the session | integer | +| fortinet.firewall.countwaf | Number of WAF logs associated with the session | integer | +| fortinet.firewall.countweb | Number of Web filter logs associated with the session | integer | +| fortinet.firewall.cpu | CPU Usage | integer | +| fortinet.firewall.craction | Client Reputation Action | integer | +| fortinet.firewall.criticalcount | Number of critical ratings | integer | +| fortinet.firewall.crl | Client Reputation Level | keyword | +| fortinet.firewall.crlevel | Client Reputation Level | keyword | +| fortinet.firewall.crscore | Some description | integer | +| fortinet.firewall.cveid | CVE ID | keyword | +| fortinet.firewall.daemon | Daemon name | keyword | +| fortinet.firewall.datarange | Data range for reports | keyword | +| fortinet.firewall.date | Date | keyword | +| fortinet.firewall.ddnsserver | DDNS server | ip | +| fortinet.firewall.desc | Description | keyword | +| fortinet.firewall.detectionmethod | Detection method | keyword | +| fortinet.firewall.devcategory | Device category | keyword | +| fortinet.firewall.devintfname | HA device Interface Name | keyword | +| fortinet.firewall.devtype | Device type | keyword | +| fortinet.firewall.dhcp_msg | DHCP Message | keyword | +| fortinet.firewall.dintf | Destination interface | keyword | +| fortinet.firewall.disk | Assosciated disk | keyword | +| fortinet.firewall.disklograte | Disk logging rate | long | +| fortinet.firewall.dlpextra | DLP extra information | keyword | +| fortinet.firewall.docsource | DLP fingerprint document source | keyword | +| fortinet.firewall.domainctrlauthstate | CIFS domain auth state | integer | +| fortinet.firewall.domainctrlauthtype | CIFS domain auth type | integer | +| fortinet.firewall.domainctrldomain | CIFS domain auth domain | keyword | +| fortinet.firewall.domainctrlip | CIFS Domain IP | ip | +| fortinet.firewall.domainctrlname | CIFS Domain name | keyword | +| fortinet.firewall.domainctrlprotocoltype | CIFS Domain connection protocol | integer | +| fortinet.firewall.domainctrlusername | CIFS Domain username | keyword | +| fortinet.firewall.domainfilteridx | Domain filter ID | integer | +| fortinet.firewall.domainfilterlist | Domain filter name | keyword | +| fortinet.firewall.ds | Direction with distribution system | keyword | +| fortinet.firewall.dst_int | Destination interface | keyword | +| fortinet.firewall.dstcountry | Destination country | keyword | +| fortinet.firewall.dstdevcategory | Destination device category | keyword | +| fortinet.firewall.dstdevtype | Destination device type | keyword | +| fortinet.firewall.dstfamily | Destination OS family | keyword | +| fortinet.firewall.dsthwvendor | Destination HW vendor | keyword | +| fortinet.firewall.dsthwversion | Destination HW version | keyword | +| fortinet.firewall.dstinetsvc | Destination interface service | keyword | +| fortinet.firewall.dstintfrole | Destination interface role | keyword | +| fortinet.firewall.dstosname | Destination OS name | keyword | +| fortinet.firewall.dstosversion | Destination OS version | keyword | +| fortinet.firewall.dstserver | Destination server | integer | +| fortinet.firewall.dstssid | Destination SSID | keyword | +| fortinet.firewall.dstswversion | Destination software version | keyword | +| fortinet.firewall.dstunauthusersource | Destination unauthenticated source | keyword | +| fortinet.firewall.dstuuid | UUID of the Destination IP address | keyword | +| fortinet.firewall.duid | DHCP UID | keyword | +| fortinet.firewall.eapolcnt | EAPOL packet count | integer | +| fortinet.firewall.eapoltype | EAPOL packet type | keyword | +| fortinet.firewall.encrypt | Whether the packet is encrypted or not | integer | +| fortinet.firewall.encryption | Encryption method | keyword | +| fortinet.firewall.epoch | Epoch used for locating file | integer | +| fortinet.firewall.espauth | ESP Authentication | keyword | +| fortinet.firewall.esptransform | ESP Transform | keyword | +| fortinet.firewall.exch | Mail Exchanges from DNS response answer section | keyword | +| fortinet.firewall.exchange | Mail Exchanges from DNS response answer section | keyword | +| fortinet.firewall.expectedsignature | Expected SSL signature | keyword | +| fortinet.firewall.expiry | FortiGuard override expiry timestamp | keyword | +| fortinet.firewall.fams_pause | Fortinet Analysis and Management Service Pause | integer | +| fortinet.firewall.fazlograte | FortiAnalyzer Logging Rate | long | +| fortinet.firewall.fctemssn | FortiClient Endpoint SSN | keyword | +| fortinet.firewall.fctuid | FortiClient UID | keyword | +| fortinet.firewall.field | NTP status field | keyword | +| fortinet.firewall.filefilter | The filter used to identify the affected file | keyword | +| fortinet.firewall.filehashsrc | Filehash source | keyword | +| fortinet.firewall.filtercat | DLP filter category | keyword | +| fortinet.firewall.filteridx | DLP filter ID | integer | +| fortinet.firewall.filtername | DLP rule name | keyword | +| fortinet.firewall.filtertype | DLP filter type | keyword | +| fortinet.firewall.fortiguardresp | Antispam ESP value | keyword | +| fortinet.firewall.forwardedfor | Email address forwarded | keyword | +| fortinet.firewall.fqdn | FQDN | keyword | +| fortinet.firewall.frametype | Wireless frametype | keyword | +| fortinet.firewall.freediskstorage | Free disk integer | integer | +| fortinet.firewall.from | From email address | keyword | +| fortinet.firewall.from_vcluster | Source virtual cluster number | integer | +| fortinet.firewall.fsaverdict | FSA verdict | keyword | +| fortinet.firewall.fwserver_name | Web proxy server name | keyword | +| fortinet.firewall.gateway | Gateway ip address for PPPoE status report | ip | +| fortinet.firewall.green | Memory status | keyword | +| fortinet.firewall.groupid | User Group ID | integer | +| fortinet.firewall.ha-prio | HA Priority | integer | +| fortinet.firewall.ha_group | HA Group | keyword | +| fortinet.firewall.ha_role | HA Role | keyword | +| fortinet.firewall.handshake | SSL Handshake | keyword | +| fortinet.firewall.hash | Hash value of downloaded file | keyword | +| fortinet.firewall.hbdn_reason | Heartbeat down reason | keyword | +| fortinet.firewall.highcount | Highcount fabric summary | integer | +| fortinet.firewall.host | Hostname | keyword | +| fortinet.firewall.iaid | DHCPv6 id | keyword | +| fortinet.firewall.icmpcode | Destination Port of the ICMP message | keyword | +| fortinet.firewall.icmpid | Source port of the ICMP message | keyword | +| fortinet.firewall.icmptype | The type of ICMP message | keyword | +| fortinet.firewall.identifier | Network traffic identifier | integer | +| fortinet.firewall.in_spi | IPSEC inbound SPI | keyword | +| fortinet.firewall.incidentserialno | Incident serial number | integer | +| fortinet.firewall.infected | Infected MMS | integer | +| fortinet.firewall.infectedfilelevel | DLP infected file level | integer | +| fortinet.firewall.informationsource | Information source | keyword | +| fortinet.firewall.init | IPSEC init stage | keyword | +| fortinet.firewall.initiator | Original login user name for Fortiguard override | keyword | +| fortinet.firewall.interface | Related interface | keyword | +| fortinet.firewall.intf | Related interface | keyword | +| fortinet.firewall.invalidmac | The MAC address with invalid OUI | keyword | +| fortinet.firewall.ip | Related IP | ip | +| fortinet.firewall.iptype | Related IP type | keyword | +| fortinet.firewall.keyword | Keyword used for search | keyword | +| fortinet.firewall.kind | VOIP kind | keyword | +| fortinet.firewall.lanin | LAN incoming traffic in bytes | long | +| fortinet.firewall.lanout | LAN outbound traffic in bytes | long | +| fortinet.firewall.lease | DHCP lease | integer | +| fortinet.firewall.license_limit | Maximum Number of FortiClients for the License | keyword | +| fortinet.firewall.limit | Virtual Domain Resource Limit | integer | +| fortinet.firewall.line | VOIP line | keyword | +| fortinet.firewall.live | Time in seconds | integer | +| fortinet.firewall.local | Local IP for a PPPD Connection | ip | +| fortinet.firewall.log | Log message | keyword | +| fortinet.firewall.login | SSH login | keyword | +| fortinet.firewall.lowcount | Fabric lowcount | integer | +| fortinet.firewall.mac | DHCP mac address | keyword | +| fortinet.firewall.malform_data | VOIP malformed data | integer | +| fortinet.firewall.malform_desc | VOIP malformed data description | keyword | +| fortinet.firewall.manuf | Manufacturer name | keyword | +| fortinet.firewall.masterdstmac | Master mac address for a host with multiple network interfaces | keyword | +| fortinet.firewall.mastersrcmac | The master MAC address for a host that has multiple network interfaces | keyword | +| fortinet.firewall.mediumcount | Fabric medium count | integer | +| fortinet.firewall.mem | Memory usage system statistics | integer | +| fortinet.firewall.meshmode | Wireless mesh mode | keyword | +| fortinet.firewall.message_type | VOIP message type | keyword | +| fortinet.firewall.method | HTTP method | keyword | +| fortinet.firewall.mgmtcnt | The number of unauthorized client flooding managemet frames | integer | +| fortinet.firewall.mode | IPSEC mode | keyword | +| fortinet.firewall.module | PCI-DSS module | keyword | +| fortinet.firewall.monitor-name | Health Monitor Name | keyword | +| fortinet.firewall.monitor-type | Health Monitor Type | keyword | +| fortinet.firewall.mpsk | Wireless MPSK | keyword | +| fortinet.firewall.msgproto | Message Protocol Number | keyword | +| fortinet.firewall.mtu | Max Transmission Unit Value | integer | +| fortinet.firewall.name | Name | keyword | +| fortinet.firewall.nat | NAT IP Address | keyword | +| fortinet.firewall.netid | Connector NetID | keyword | +| fortinet.firewall.new_status | New status on user change | keyword | +| fortinet.firewall.new_value | New Virtual Domain Name | keyword | +| fortinet.firewall.newchannel | New Channel Number | integer | +| fortinet.firewall.newchassisid | New Chassis ID | integer | +| fortinet.firewall.newslot | New Slot Number | integer | +| fortinet.firewall.nextstat | Time interval in seconds for the next statistics. | integer | +| fortinet.firewall.nf_type | Notification Type | keyword | +| fortinet.firewall.noise | Wifi Noise | integer | +| fortinet.firewall.old_status | Original Status | keyword | +| fortinet.firewall.old_value | Original Virtual Domain name | keyword | +| fortinet.firewall.oldchannel | Original channel | integer | +| fortinet.firewall.oldchassisid | Original Chassis Number | integer | +| fortinet.firewall.oldslot | Original Slot Number | integer | +| fortinet.firewall.oldsn | Old Serial number | keyword | +| fortinet.firewall.oldwprof | Old Web Filter Profile | keyword | +| fortinet.firewall.onwire | A flag to indicate if the AP is onwire or not | keyword | +| fortinet.firewall.opercountry | Operating Country | keyword | +| fortinet.firewall.opertxpower | Operating TX power | integer | +| fortinet.firewall.osname | Operating System name | keyword | +| fortinet.firewall.osversion | Operating System version | keyword | +| fortinet.firewall.out_spi | Out SPI | keyword | +| fortinet.firewall.outintf | Out interface | keyword | +| fortinet.firewall.passedcount | Fabric passed count | integer | +| fortinet.firewall.passwd | Changed user password information | keyword | +| fortinet.firewall.path | Path of looped configuration for security fabric | keyword | +| fortinet.firewall.peer | WAN optimization peer | keyword | +| fortinet.firewall.peer_notif | VPN peer notification | keyword | +| fortinet.firewall.phase2_name | VPN phase2 name | keyword | +| fortinet.firewall.phone | VOIP Phone | keyword | +| fortinet.firewall.pid | Process ID | integer | +| fortinet.firewall.policytype | Policy Type | keyword | +| fortinet.firewall.poolname | IP Pool name | keyword | +| fortinet.firewall.port | Log upload error port | integer | +| fortinet.firewall.portbegin | IP Pool port number to begin | integer | +| fortinet.firewall.portend | IP Pool port number to end | integer | +| fortinet.firewall.probeproto | Link Monitor Probe Protocol | keyword | +| fortinet.firewall.process | URL Filter process | keyword | +| fortinet.firewall.processtime | Process time for reports | integer | +| fortinet.firewall.profile | Profile Name | keyword | +| fortinet.firewall.profile_vd | Virtual Domain Name | keyword | +| fortinet.firewall.profilegroup | Profile Group Name | keyword | +| fortinet.firewall.profiletype | Profile Type | keyword | +| fortinet.firewall.qtypeval | DNS question type value | integer | +| fortinet.firewall.quarskip | Quarantine skip explanation | keyword | +| fortinet.firewall.quotaexceeded | If quota has been exceeded | keyword | +| fortinet.firewall.quotamax | Maximum quota allowed - in seconds if time-based - in bytes if traffic-based | long | +| fortinet.firewall.quotatype | Quota type | keyword | +| fortinet.firewall.quotaused | Quota used - in seconds if time-based - in bytes if trafficbased) | long | +| fortinet.firewall.radioband | Radio band | keyword | +| fortinet.firewall.radioid | Radio ID | integer | +| fortinet.firewall.radioidclosest | Radio ID on the AP closest the rogue AP | integer | +| fortinet.firewall.radioiddetected | Radio ID on the AP which detected the rogue AP | integer | +| fortinet.firewall.rate | Wireless rogue rate value | keyword | +| fortinet.firewall.rawdata | Raw data value | keyword | +| fortinet.firewall.rawdataid | Raw data ID | keyword | +| fortinet.firewall.rcvddelta | Received bytes delta | keyword | +| fortinet.firewall.reason | Alert reason | keyword | +| fortinet.firewall.received | Server key exchange received | integer | +| fortinet.firewall.receivedsignature | Server key exchange received signature | keyword | +| fortinet.firewall.red | Memory information in red | keyword | +| fortinet.firewall.referralurl | Web filter referralurl | keyword | +| fortinet.firewall.remote | Remote PPP IP address | ip | +| fortinet.firewall.remotewtptime | Remote Wifi Radius authentication time | keyword | +| fortinet.firewall.reporttype | Report type | keyword | +| fortinet.firewall.reqtype | Request type | keyword | +| fortinet.firewall.request_name | VOIP request name | keyword | +| fortinet.firewall.result | VPN phase result | keyword | +| fortinet.firewall.role | VPN Phase 2 role | keyword | +| fortinet.firewall.rssi | Received signal strength indicator | integer | +| fortinet.firewall.rsso_key | RADIUS SSO attribute value | keyword | +| fortinet.firewall.ruledata | Rule data | keyword | +| fortinet.firewall.ruletype | Rule type | keyword | +| fortinet.firewall.scanned | Number of Scanned MMSs | integer | +| fortinet.firewall.scantime | Scanned time | long | +| fortinet.firewall.scope | FortiGuard Override Scope | keyword | +| fortinet.firewall.security | Wireless rogue security | keyword | +| fortinet.firewall.sensitivity | Sensitivity for document fingerprint | keyword | +| fortinet.firewall.sensor | NAC Sensor Name | keyword | +| fortinet.firewall.sentdelta | Sent bytes delta | keyword | +| fortinet.firewall.seq | Sequence number | keyword | +| fortinet.firewall.serial | WAN optimisation serial | keyword | +| fortinet.firewall.serialno | Serial number | keyword | +| fortinet.firewall.server | AD server FQDN or IP | keyword | +| fortinet.firewall.session_id | Session ID | keyword | +| fortinet.firewall.sessionid | WAD Session ID | integer | +| fortinet.firewall.setuprate | Session Setup Rate | long | +| fortinet.firewall.severity | Severity | keyword | +| fortinet.firewall.shaperdroprcvdbyte | Received bytes dropped by shaper | integer | +| fortinet.firewall.shaperdropsentbyte | Sent bytes dropped by shaper | integer | +| fortinet.firewall.shaperperipdropbyte | Dropped bytes per IP by shaper | integer | +| fortinet.firewall.shaperperipname | Traffic shaper name (per IP) | keyword | +| fortinet.firewall.shaperrcvdname | Traffic shaper name for received traffic | keyword | +| fortinet.firewall.shapersentname | Traffic shaper name for sent traffic | keyword | +| fortinet.firewall.shapingpolicyid | Traffic shaper policy ID | integer | +| fortinet.firewall.signal | Wireless rogue API signal | integer | +| fortinet.firewall.size | Email size in bytes | long | +| fortinet.firewall.slot | Slot number | integer | +| fortinet.firewall.sn | Security fabric serial number | keyword | +| fortinet.firewall.snclosest | SN of the AP closest to the rogue AP | keyword | +| fortinet.firewall.sndetected | SN of the AP which detected the rogue AP | keyword | +| fortinet.firewall.snmeshparent | SN of the mesh parent | keyword | +| fortinet.firewall.spi | IPSEC SPI | keyword | +| fortinet.firewall.src_int | Source interface | keyword | +| fortinet.firewall.srccountry | Source country | keyword | +| fortinet.firewall.srcfamily | Source family | keyword | +| fortinet.firewall.srchwvendor | Source hardware vendor | keyword | +| fortinet.firewall.srchwversion | Source hardware version | keyword | +| fortinet.firewall.srcinetsvc | Source interface service | keyword | +| fortinet.firewall.srcintfrole | Source interface role | keyword | +| fortinet.firewall.srcname | Source name | keyword | +| fortinet.firewall.srcserver | Source server | integer | +| fortinet.firewall.srcssid | Source SSID | keyword | +| fortinet.firewall.srcswversion | Source software version | keyword | +| fortinet.firewall.srcuuid | Source UUID | keyword | +| fortinet.firewall.sscname | SSC name | keyword | +| fortinet.firewall.ssid | Base Service Set ID | keyword | +| fortinet.firewall.sslaction | SSL Action | keyword | +| fortinet.firewall.ssllocal | WAD SSL local | keyword | +| fortinet.firewall.sslremote | WAD SSL remote | keyword | +| fortinet.firewall.stacount | Number of stations/clients | integer | +| fortinet.firewall.stage | IPSEC stage | keyword | +| fortinet.firewall.stamac | 802.1x station mac | keyword | +| fortinet.firewall.state | Admin login state | keyword | +| fortinet.firewall.status | Status | keyword | +| fortinet.firewall.stitch | Automation stitch triggered | keyword | +| fortinet.firewall.subject | Email subject | keyword | +| fortinet.firewall.submodule | Configuration Sub-Module Name | keyword | +| fortinet.firewall.subservice | AV subservice | keyword | +| fortinet.firewall.subtype | Log subtype | keyword | +| fortinet.firewall.suspicious | Number of Suspicious MMSs | integer | +| fortinet.firewall.switchproto | Protocol change information | keyword | +| fortinet.firewall.sync_status | The sync status with the master | keyword | +| fortinet.firewall.sync_type | The sync type with the master | keyword | +| fortinet.firewall.sysuptime | System uptime | keyword | +| fortinet.firewall.tamac | the MAC address of Transmitter, if none, then Receiver | keyword | +| fortinet.firewall.threattype | WIDS threat type | keyword | +| fortinet.firewall.time | Time of the event | keyword | +| fortinet.firewall.to | Email to field | keyword | +| fortinet.firewall.to_vcluster | destination virtual cluster number | integer | +| fortinet.firewall.total | Total memory | integer | +| fortinet.firewall.totalsession | Total Number of Sessions | integer | +| fortinet.firewall.trace_id | Session clash trace ID | keyword | +| fortinet.firewall.trandisp | NAT translation type | keyword | +| fortinet.firewall.transid | HTTP transaction ID | integer | +| fortinet.firewall.translationid | DNS filter transaltion ID | keyword | +| fortinet.firewall.trigger | Automation stitch trigger | keyword | +| fortinet.firewall.trueclntip | File filter true client IP | ip | +| fortinet.firewall.tunnelid | IPSEC tunnel ID | integer | +| fortinet.firewall.tunnelip | IPSEC tunnel IP | ip | +| fortinet.firewall.tunneltype | IPSEC tunnel type | keyword | +| fortinet.firewall.type | Module type | keyword | +| fortinet.firewall.ui | Admin authentication UI type | keyword | +| fortinet.firewall.unauthusersource | Unauthenticated user source | keyword | +| fortinet.firewall.unit | Power supply unit | integer | +| fortinet.firewall.urlfilteridx | URL filter ID | integer | +| fortinet.firewall.urlfilterlist | URL filter list | keyword | +| fortinet.firewall.urlsource | URL filter source | keyword | +| fortinet.firewall.urltype | URL filter type | keyword | +| fortinet.firewall.used | Number of Used IPs | integer | +| fortinet.firewall.used_for_type | Connection for the type | integer | +| fortinet.firewall.utmaction | Security action performed by UTM | keyword | +| fortinet.firewall.vap | Virtual AP | keyword | +| fortinet.firewall.vapmode | Virtual AP mode | keyword | +| fortinet.firewall.vcluster | virtual cluster id | integer | +| fortinet.firewall.vcluster_member | Virtual cluster member | integer | +| fortinet.firewall.vcluster_state | Virtual cluster state | keyword | +| fortinet.firewall.vd | Virtual Domain Name | keyword | +| fortinet.firewall.vdname | Virtual Domain Name | keyword | +| fortinet.firewall.vendorurl | Vulnerability scan vendor name | keyword | +| fortinet.firewall.version | Version | keyword | +| fortinet.firewall.vip | Virtual IP | keyword | +| fortinet.firewall.virus | Virus name | keyword | +| fortinet.firewall.virusid | Virus ID (unique virus identifier) | integer | +| fortinet.firewall.voip_proto | VOIP protocol | keyword | +| fortinet.firewall.vpn | VPN description | keyword | +| fortinet.firewall.vpntunnel | IPsec Vpn Tunnel Name | keyword | +| fortinet.firewall.vpntype | The type of the VPN tunnel | keyword | +| fortinet.firewall.vrf | VRF number | integer | +| fortinet.firewall.vulncat | Vulnerability Category | keyword | +| fortinet.firewall.vulnid | Vulnerability ID | integer | +| fortinet.firewall.vulnname | Vulnerability name | keyword | +| fortinet.firewall.vwlid | VWL ID | integer | +| fortinet.firewall.vwlquality | VWL quality | keyword | +| fortinet.firewall.vwlservice | VWL service | keyword | +| fortinet.firewall.vwpvlanid | VWP VLAN ID | integer | +| fortinet.firewall.wanin | WAN incoming traffic in bytes | long | +| fortinet.firewall.wanoptapptype | WAN Optimization Application type | keyword | +| fortinet.firewall.wanout | WAN outgoing traffic in bytes | long | +| fortinet.firewall.weakwepiv | Weak Wep Initiation Vector | keyword | +| fortinet.firewall.xauthgroup | XAuth Group Name | keyword | +| fortinet.firewall.xauthuser | XAuth User Name | keyword | +| fortinet.firewall.xid | Wireless X ID | integer | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.email | User email address. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | + + +### Clientendpoint + +The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security logs. + +An example event for `clientendpoint` looks as following: + +```json +{ + "@timestamp": "2021-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet.clientendpoint", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": [ + "10.102.123.34" + ], + "port": 3994 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "code": "http", + "dataset": "fortinet.clientendpoint", + "ingested": "2022-01-25T12:25:45Z", + "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", + "outcome": "failure", + "timezone": "+00:00" + }, + "host": { + "name": "boNemoe4402.www.invalid" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:54478" + } + }, + "network": { + "direction": "external", + "protocol": "udp" + }, + "observer": { + "product": "FortiClient", + "type": "Anti-Virus", + "vendor": "Fortinet" + }, + "process": { + "pid": 7880 + }, + "related": { + "hosts": [ + "litesse6379.api.domain", + "boNemoe4402.www.invalid" + ], + "ip": [ + "10.150.92.220", + "10.102.123.34" + ], + "user": [ + "sumdo" + ] + }, + "rsa": { + "counters": { + "dclass_c1": 5286, + "dclass_c1_str": "block_count" + }, + "internal": { + "messageid": "http" + }, + "investigations": { + "ec_outcome": "Failure", + "ec_subject": "NetworkComm", + "ec_theme": "ALM" + }, + "misc": { + "action": [ + "deny" + ], + "result": "failure\n" + }, + "network": { + "alias_host": [ + "boNemoe4402.www.invalid" + ], + "domain": "litesse6379.api.domain", + "network_service": "http" + }, + "time": { + "event_time": "2021-01-29T06:09:59.000Z" + } + }, + "server": { + "domain": "litesse6379.api.domain", + "registered_domain": "api.domain", + "subdomain": "litesse6379", + "top_level_domain": "domain" + }, + "source": { + "ip": [ + "10.150.92.220" + ], + "port": 7178 + }, + "tags": [ + "preserve_original_event", + "fortinet-clientendpoint", + "forwarded" + ], + "user": { + "name": "sumdo" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +### Fortimail + +The `fortimail` dataset collects Fortinet FortiMail logs. + +An example event for `fortimail` looks as following: + +```json +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet.fortimail", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "event", + "agent_id_status": "verified", + "code": "nes", + "dataset": "fortinet.fortimail", + "ingested": "2022-01-25T12:29:32Z", + "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "high", + "source": { + "address": "172.30.0.4:44540" + } + }, + "observer": { + "product": "FortiMail", + "type": "Firewall", + "vendor": "Fortinet" + }, + "rsa": { + "internal": { + "event_desc": "boNemoe", + "messageid": "event_update" + }, + "misc": { + "category": "update", + "event_type": "event", + "hardware_id": "pexe", + "msgIdPart1": "event", + "msgIdPart2": "update", + "reference_id": "nes", + "reference_id1": "eab", + "severity": "high" + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "tags": [ + "preserve_original_event", + "fortinet-fortimail", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +### Fortimanager + +The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. + +An example event for `fortimanager` looks as following: + +```json +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet.fortimanager", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 449, + "geo": { + "country_name": "sequa" + }, + "ip": [ + "10.44.173.44" + ], + "nat": { + "ip": "10.189.58.145", + "port": 5273 + }, + "port": 6125 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "allow", + "agent_id_status": "verified", + "code": "sse", + "dataset": "fortinet.fortimanager", + "ingested": "2022-01-25T12:33:50Z", + "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "very-high", + "source": { + "address": "172.30.0.4:60997" + } + }, + "network": { + "bytes": 8329 + }, + "observer": { + "egress": { + "interface": { + "name": "enp0s3068" + } + }, + "ingress": { + "interface": { + "name": "eth5722" + } + }, + "product": "FortiManager", + "type": "Configuration", + "vendor": "Fortinet" + }, + "related": { + "hosts": [ + "modtempo" + ], + "ip": [ + "10.189.58.145", + "10.20.234.169", + "10.44.173.44" + ] + }, + "rsa": { + "internal": { + "messageid": "generic_fortinetmgr_1" + }, + "misc": { + "action": [ + "allow" + ], + "category": "der", + "context": "abo", + "event_source": "modtempo", + "event_type": "exercita", + "hardware_id": "olab", + "log_session_id": "psa", + "policy_id": "ntium", + "reference_id": "sse", + "severity": "very-high", + "vsys": "nto" + }, + "network": { + "dinterface": "enp0s3068", + "network_service": "lupt", + "sinterface": "eth5722" + }, + "time": { + "duration_time": 14.119, + "event_time": "2016-01-29T06:09:59.000Z", + "event_time_str": "odoco" + }, + "web": { + "reputation_num": 13.8 + } + }, + "source": { + "bytes": 7880, + "geo": { + "country_name": "dolore" + }, + "ip": [ + "10.20.234.169" + ], + "port": 1001 + }, + "tags": [ + "preserve_original_event", + "fortinet-fortimanager", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/fortinet/1.6.1/img/fortinet-logo.svg b/packages/fortinet/1.6.1/img/fortinet-logo.svg new file mode 100755 index 0000000000..d6a8448f32 --- /dev/null +++ b/packages/fortinet/1.6.1/img/fortinet-logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/packages/fortinet/1.6.1/manifest.yml b/packages/fortinet/1.6.1/manifest.yml new file mode 100755 index 0000000000..25f9d292a2 --- /dev/null +++ b/packages/fortinet/1.6.1/manifest.yml @@ -0,0 +1,32 @@ +name: fortinet +title: Fortinet Logs +version: "1.6.1" +release: ga +description: Collect logs from Fortinet instances with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security"] +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +icons: + - src: /img/fortinet-logo.svg + title: Fortinet + size: 216x216 + type: image/svg+xml +policy_templates: + - name: fortinet + title: Fortinet logs + description: Collect logs from Fortinet instances + inputs: + - type: logfile + title: "Collect Fortinet logs (input: logfile)" + description: "Collecting logs from Fortinet instances (input: logfile)" + - type: tcp + title: "Collect Fortinet logs (input: tcp)" + description: "Collecting logs from Fortinet instances (input: tcp)" + - type: udp + title: "Collect Fortinet logs (input: udp)" + description: "Collecting logs from Fortinet instances (input: udp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/gcp/1.9.0/changelog.yml b/packages/gcp/1.9.0/changelog.yml new file mode 100755 index 0000000000..eacc3050fa --- /dev/null +++ b/packages/gcp/1.9.0/changelog.yml @@ -0,0 +1,142 @@ +# newer versions go on top +- version: "1.9.0" + changes: + - description: Preserve request and response in flattened fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/3390 +- version: "1.8.0" + changes: + - description: Add missing `cloud.provider` field. + type: enhancement + link: https://github.com/elastic/integrations/pull/3274 +- version: "1.7.0" + changes: + - description: Add dashboards for firewall and vpc flow logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/3280 + - description: Add missing mappings for several `event.*` fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/3280 +- version: "1.6.1" + changes: + - description: Clarify the GCP privileges required by the Pub/Sub input. + type: enhancement + link: https://github.com/elastic/integrations/pull/3206 +- version: "1.6.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.5.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.5.0" + changes: + - description: Improve Google Cloud Platform docs. + type: enhancement + link: https://github.com/elastic/integrations/pull/2842 +- version: "1.4.2" + changes: + - description: Remove emtpy values, names with only dots, and invalid client IPs. + type: bugfix + link: https://github.com/elastic/integrations/pull/2747 +- version: "1.4.1" + changes: + - description: Fix quoting of the credentials_json value in policy templates. + type: bugfix + link: https://github.com/elastic/integrations/pull/2712 +- version: "1.4.0" + changes: + - description: Add gcp.dns integration + type: enhancement + link: https://github.com/elastic/integrations/pull/2624 +- version: "1.3.1" + changes: + - description: Add Ingest Pipeline script to map IANA Protocol Numbers + type: bugfix + link: https://github.com/elastic/integrations/pull/2470 +- version: "1.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2406 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2251 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1965 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1818 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1661 +- version: "1.0.0" + changes: + - description: Move from experimental to GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1568 + - description: remove experimental from data_sets + type: enhancement + link: https://github.com/elastic/integrations/pull/1717 +- version: "0.3.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1478 +- version: '0.3.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1385 +- version: "0.3.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.3.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.2.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1240 +- version: "0.1.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1045 +- version: "0.0.2" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/846 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/1.9.0/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.0/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/1.9.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..fc0ff88942 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,388 @@ +--- +description: Pipeline for Google Cloud audit logs + +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - set: + field: gcp.audit.type + copy_from: "json.protoPayload.@type" + ignore_failure: true +## +# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry +# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog +## + - drop: + description: Drop the document if it is not of AuditLog type + if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' +# .insertId + - set: + field: event.id + copy_from: json.insertId + if: ctx.json?.insertId != null +# .logName + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true +# .severity + - rename: + field: json.severity + target_field: log.level + ignore_missing: true +## +# Extract the type of audit logging data from logName to event.provider +# https://cloud.google.com/pubsub/docs/audit-logging#log_name +## + - dissect: + field: log.logger + pattern: "%{}%2F%{event.provider}" + ignore_missing: true + # NOTE test data fails the spec + ignore_failure: true + + - set: + field: event.kind + value: event + - set: + field: cloud.provider + value: gcp + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 +## +# MonitoredResource +# .resource +# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource +## + - set: + field: cloud.project.id + copy_from: json.resource.labels.project_id + if: ctx.json?.resource?.labels?.project_id != null + - set: + field: cloud.instance.id + copy_from: json.resource.labels.instance_id + if: ctx.json?.resource?.labels?.instance_id != null +## +# MonitoredResourceDescriptor type +# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor +# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list +## + - set: + field: orchestrator.type + value: kubernetes + if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') + - set: + field: orchestrator.cluster.name + copy_from: json.resource.labels.cluster_name + ignore_empty_value: true + if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') + - set: + field: _temp.type + copy_from: json.protoPayload.resourceName + ignore_empty_value: true + if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' + - grok: + field: _temp.type + patterns: + - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' + - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' + - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' + - 'api/%{API_VERSION:orchestrator.api_version}' + - '%{RESOURCE_TYPE:orchestrator.resource.type}' + pattern_definitions: + API_VERSION: (v\d+([a-z]+)?(\d+)?) + RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) + ignore_missing: true + +## +# AuthenticationInfo +# .protoPayload.authenticationInfo +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo +## +# email address of authenticated user (redacted) or service account +# principalEmail -> client.user.email + - rename: + field: json.protoPayload.authenticationInfo.principalEmail + target_field: client.user.email + ignore_missing: true +# identity of requesting first or third party +# principalSubject -> client.user.id + - rename: + field: json.protoPayload.authenticationInfo.principalSubject + target_field: client.user.id + ignore_missing: true + - rename: + field: json.protoPayload.authenticationInfo.authoritySelector + target_field: gcp.audit.authentication_info.authority_selector + ignore_missing: true + +# TODO remove - duplicated in client.user.email and client.user.id + - set: + field: gcp.audit.authentication_info.principal_email + copy_from: client.user.email + if: ctx.client?.user?.email != null + - set: + field: gcp.audit.authentication_info.principal_subject + copy_from: client.user.id + if: ctx.client?.user?.id != null +## +# AuthorizationInfo +# .protoPayload.authorizationInfo +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo +## + - rename: + field: json.protoPayload.authorizationInfo + target_field: gcp.audit.authorization_info + ignore_missing: true + - foreach: + field: gcp.audit.authorization_info + ignore_missing: true + ignore_failure: true + processor: + rename: + field: _ingest._value.resourceAttributes + target_field: _ingest._value.resource_attributes + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List + +## +# Labels +# .labels +## + - set: + field: gcp.audit.labels + copy_from: json.labels + if: ctx.json?.labels != null +## +# RequestMetadata +# .protoPayload.requestMetadata +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata +## + - convert: + if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" + type: ip + field: json.protoPayload.requestMetadata.callerIp + target_field: source.ip + ignore_missing: true + # TODO remove - duplicated in useragent + - rename: + field: json.protoPayload.requestMetadata.callerSuppliedUserAgent + target_field: gcp.audit.request_metadata.caller_supplied_user_agent + ignore_missing: true + - set: + field: user_agent.original + value: "{{gcp.audit.request_metadata.caller_supplied_user_agent}}" + if: ctx?.gcp?.audit?.request_metadata?.caller_supplied_user_agent != null + - user_agent: + field: user_agent.original + ignore_missing: true +## +# LogEntryOperation +# .operation +# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation +## +# set only if it is not the same as insertId + - set: + field: gcp.audit.logentry_operation.id + copy_from: json.operation.id + if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id + - script: + lang: painless + description: set event.category and type for long running operation + tag: set-event-type-for-long-operations + if: ctx.json?.operation != null + source: | + def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; + def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; + if (first && last) { + return; + } + if (ctx.event.category == null) { + ctx.event.category = new ArrayList(); + } + if (ctx.event.type == null) { + ctx.event.type = new ArrayList(); + } + ctx.event.category.add('session'); + if (first == true && last == false) { + ctx.event.type.add('start'); + } + if (first == false && last == true) { + ctx.event.type.add('end'); + } + +# TODO remove duplicate protoPayload.methodName + - rename: + field: json.protoPayload.methodName + target_field: gcp.audit.method_name + ignore_missing: true + - set: + field: event.action + value: "{{gcp.audit.method_name}}" + if: ctx?.gcp?.audit?.method_name != null + - convert: + field: json.protoPayload.numResponseItems + target_field: gcp.audit.num_response_items + type: long + ignore_missing: true + - set: + field: gcp.audit.request + copy_from: json.protoPayload.request + if: ctx.json?.protoPayload?.request != null + - set: + field: gcp.audit.response + copy_from: json.protoPayload.response + if: ctx.json?.protoPayload?.response != null + - rename: + field: json.protoPayload.resourceName + target_field: gcp.audit.resource_name + ignore_missing: true + if: ctx.orchestrator?.type != 'kubernetes' + - rename: + field: json.protoPayload.resourceLocation.currentLocations + target_field: gcp.audit.resource_location.current_locations + ignore_missing: true +# TODO remove duplicate json.protoPayload.serviceName + - rename: + field: json.protoPayload.serviceName + target_field: gcp.audit.service_name + ignore_missing: true + - set: + field: service.name + value: "{{gcp.audit.service_name}}" + if: ctx?.gcp?.audit?.service_name != null +## +# .protoPayload.Status +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status +# google.rpc.Code referred in Status can have the following values +# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto +## + - convert: + field: json.protoPayload.status.code + target_field: gcp.audit.status.code + type: long + ignore_missing: true + - rename: + field: json.protoPayload.status.message + target_field: gcp.audit.status.message + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 + - set: + field: event.outcome + value: failure + if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 + - set: + field: event.outcome + value: success + if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted + - set: + field: event.outcome + value: failure + if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + +## +# if gcp.audit.authorization_info.[0].granted is true then +# set event.category [network, configuration] and event.type to [access, allowed]; +# Caveat +# 1. protoPayload.resourceName is a single value while authorization_info[].resource +# is a list. +# 2. as per test data authorization_info may not be as per spec. +## + - append: + field: event.category + value: ['network', 'configuration'] + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 + - append: + field: event.type + value: ['access', 'allowed'] + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted + - append: + field: event.type + value: ['access', 'denied'] + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted + + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + +## +# clean-up +## + - remove: + field: + - _temp + - json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + description: Drops null and empty values and dotted keys recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + def m = ((Map) o); + def it = m.entrySet().iterator(); + while (it.hasNext()) { + def e = ((Map.Entry) it.next()); + def key = ((String) e.getKey()); + def value = e.getValue(); + Pattern onlyDotsRegex = /^\.+$/; + if (onlyDotsRegex.matcher(key).matches() || drop(value)) { + it.remove(); + } + } + return (m.size() == 0); + } else if (o instanceof List) { + def l = ((List) o); + l.removeIf(v -> drop(v)); + return (l.length == 0); + } + return false; + } + drop(ctx); +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/1.9.0/data_stream/audit/fields/agent.yml b/packages/gcp/1.9.0/data_stream/audit/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/1.9.0/data_stream/audit/fields/base-fields.yml b/packages/gcp/1.9.0/data_stream/audit/fields/base-fields.yml new file mode 100755 index 0000000000..4a7da76510 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.audit diff --git a/packages/gcp/1.9.0/data_stream/audit/fields/ecs.yml b/packages/gcp/1.9.0/data_stream/audit/fields/ecs.yml new file mode 100755 index 0000000000..982283187d --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/fields/ecs.yml @@ -0,0 +1,202 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: API version being used to carry out the action + name: orchestrator.api_version + type: keyword +- description: Name of the cluster. + name: orchestrator.cluster.name + type: keyword +- description: URL of the API used to manage the cluster. + name: orchestrator.cluster.url + type: keyword +- description: The version of the cluster. + name: orchestrator.cluster.version + type: keyword +- description: Namespace in which the action is taking place. + name: orchestrator.namespace + type: keyword +- description: Organization affected by the event (for multi-tenant orchestrator setups). + name: orchestrator.organization + type: keyword +- description: Name of the resource being acted upon. + name: orchestrator.resource.name + type: keyword +- description: Type of resource being acted upon. + name: orchestrator.resource.type + type: keyword +- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). + name: orchestrator.type + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: user_agent.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: user_agent.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: user_agent.os.platform + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: match_only_text diff --git a/packages/gcp/1.9.0/data_stream/audit/fields/fields.yml b/packages/gcp/1.9.0/data_stream/audit/fields/fields.yml new file mode 100755 index 0000000000..12064f765e --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/fields/fields.yml @@ -0,0 +1,115 @@ +- name: gcp.audit + type: group + fields: + - name: type + type: keyword + description: | + Type property. + - name: authentication_info + type: group + fields: + - name: principal_email + type: keyword + description: "The email address of the authenticated user making the request." + - name: authority_selector + type: keyword + description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." + - name: principal_subject + type: keyword + description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." + - name: authorization_info + type: array + description: | + Authorization information for the operation. + fields: + - name: permission + type: keyword + description: "The required IAM permission." + - name: granted + type: boolean + description: "Whether or not authorization for resource and permission was granted." + - name: resource + type: keyword + description: "The resource being accessed, as a REST-style string." + - name: resource_attributes + type: group + fields: + - name: service + type: keyword + description: | + The name of the service. + - name: name + type: keyword + description: | + The name of the resource. + - name: type + type: keyword + description: | + The type of the resource. + - name: labels + type: flattened + description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." + - name: logentry_operation + type: group + fields: + - name: id + type: keyword + description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." + - name: producer + type: keyword + description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." + - name: first + type: boolean + description: "Optional. Set this to True if this is the first log entry in the operation." + - name: last + type: boolean + description: "Optional. Set this to True if this is the last log entry in the operation." + - name: method_name + type: keyword + description: | + The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. + - name: num_response_items + type: long + description: | + The number of items returned from a List or Query API method, if applicable. + - name: request + type: flattened + - name: request_metadata + type: group + fields: + - name: caller_ip + type: ip + description: "The IP address of the caller." + - name: raw.caller_ip + type: keyword + description: "The raw IP address of the caller." + - name: caller_supplied_user_agent + type: keyword + description: | + The user agent of the caller. This information is not authenticated and should be treated accordingly. + - name: response + type: flattened + - name: resource_name + type: keyword + description: | + The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. + - name: resource_location + type: group + fields: + - name: current_locations + type: array + description: | + Current locations of the resource. + - name: service_name + type: keyword + description: | + The name of the API service performing the operation. For example, datastore.googleapis.com. + - name: status + type: group + fields: + - name: code + type: integer + description: "The status code, which should be an enum value of google.rpc.Code." + - name: message + type: keyword + description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/1.9.0/data_stream/audit/fields/package-fields.yml b/packages/gcp/1.9.0/data_stream/audit/fields/package-fields.yml new file mode 100755 index 0000000000..88482fd9c1 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/fields/package-fields.yml @@ -0,0 +1,63 @@ +- name: gcp + type: group + fields: + - name: destination.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: destination.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. + - name: source.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: source.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. diff --git a/packages/gcp/1.9.0/data_stream/audit/manifest.yml b/packages/gcp/1.9.0/data_stream/audit/manifest.yml new file mode 100755 index 0000000000..0c5919ce10 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/manifest.yml @@ -0,0 +1,58 @@ +type: logs +title: Google Cloud Platform (GCP) audit logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-audit + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-audit + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/1.9.0/data_stream/audit/sample_event.json b/packages/gcp/1.9.0/data_stream/audit/sample_event.json new file mode 100755 index 0000000000..b5881e272f --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/audit/sample_event.json @@ -0,0 +1,130 @@ +{ + "@timestamp": "2019-12-19T00:44:25.051Z", + "agent": { + "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "client": { + "user": { + "email": "xxx@xxx.xxx" + } + }, + "cloud": { + "project": { + "id": "elastic-beats" + }, + "provider": "gcp" + }, + "data_stream": { + "dataset": "gcp.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "beta.compute.instances.aggregatedList", + "agent_id_status": "verified", + "category": [ + "network", + "configuration" + ], + "created": "2022-05-20T07:25:00.534Z", + "dataset": "gcp.audit", + "id": "yonau2dg2zi", + "ingested": "2022-05-20T07:25:01Z", + "kind": "event", + "outcome": "success", + "provider": "data_access", + "type": [ + "access", + "allowed" + ] + }, + "gcp": { + "audit": { + "authentication_info": { + "principal_email": "xxx@xxx.xxx" + }, + "authorization_info": [ + { + "granted": true, + "permission": "compute.instances.list", + "resource_attributes": { + "name": "projects/elastic-beats", + "service": "resourcemanager", + "type": "resourcemanager.projects" + } + } + ], + "method_name": "beta.compute.instances.aggregatedList", + "num_response_items": 61, + "request": { + "@type": "type.googleapis.com/compute.instances.aggregatedList" + }, + "request_metadata": { + "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)" + }, + "resource_location": { + "current_locations": [ + "global" + ] + }, + "resource_name": "projects/elastic-beats/global/instances", + "response": { + "@type": "core.k8s.io/v1.Status", + "apiVersion": "v1", + "details": { + "group": "batch", + "kind": "jobs", + "name": "gsuite-exporter-1589294700", + "uid": "2beff34a-945f-11ea-bacf-42010a80007f" + }, + "kind": "Status", + "status": "Success" + }, + "service_name": "compute.googleapis.com", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" + }, + "service": { + "name": "compute.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "gcp-audit" + ], + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "71.0." + } +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.0/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/1.9.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..9589af9c48 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,243 @@ +--- +description: Pipeline for Google Cloud DNS logs + +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - set: + field: event.kind + value: event + - set: + field: cloud.provider + value: gcp + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true + - set: + field: event.id + copy_from: json.insertId + ignore_empty_value: true + ignore_failure: true + - convert: + field: json.resource.labels.project_id + target_field: cloud.project.id + type: string + ignore_failure: true + - convert: + field: json.resource.labels.location + target_field: cloud.region + type: string + ignore_failure: true + - rename: + field: json.jsonPayload.authAnswer + target_field: gcp.dns.auth_answer + ignore_missing: true + - rename: + field: json.jsonPayload.destinationIP + target_field: gcp.dns.destination_ip + ignore_missing: true + - set: + field: destination.address + copy_from: gcp.dns.destination_ip + ignore_failure: true + - convert: + field: gcp.dns.destination_ip + target_field: destination.ip + type: ip + ignore_failure: true + - rename: + field: json.jsonPayload.egressError + target_field: gcp.dns.egress_error + ignore_missing: true + - rename: + field: json.jsonPayload.protocol + target_field: gcp.dns.protocol + ignore_missing: true + - set: + field: network.transport + copy_from: gcp.dns.protocol + ignore_failure: true + - lowercase: + field: network.transport + ignore_missing: true + - rename: + field: json.jsonPayload.queryName + target_field: gcp.dns.query_name + ignore_missing: true + - set: + field: dns.question.name + copy_from: gcp.dns.query_name + ignore_failure: true + - gsub: + field: dns.question.name + pattern: "[.]$" + replacement: "" + ignore_failure: true + - registered_domain: + field: dns.question.name + target_field: dns.question + - remove: + field: dns.question.domain + ignore_missing: true + - rename: + field: json.jsonPayload.queryType + target_field: gcp.dns.query_type + ignore_missing: true + - set: + field: dns.question.type + copy_from: gcp.dns.query_type + ignore_failure: true + - rename: + field: json.jsonPayload.rdata + target_field: gcp.dns.rdata + ignore_missing: true + - script: + if: ctx?.gcp?.dns?.rdata != null + lang: painless + tag: Process DNS RData + description: This script processes the DNS RData into `dns.answers` and `dns.resolved_ip`. + source: | + def rdata = ctx.gcp.dns.rdata; + + def dns_answers = []; + def dns_resolved_ip = []; + + // Check for truncated answers. + def truncated = rdata.endsWith("...") ? 1 : 0; + + // Process answers. + def rdata_answers = /\n/.split(rdata); + + for (def i = 0; i < rdata_answers.length - truncated; i++) { + def answer_parts = /\t/.split(rdata_answers[i]); + + // Assign answer parts. + def name = answer_parts[0]; + def ttl = answer_parts[1]; + def cls = answer_parts[2]; + def type = answer_parts[3]; + def data = answer_parts[4]; + + // Remove trailing fullstop. + if (name.endsWith(".")) { + name = name.substring(0, name.length() - 1); + } + + if (data.endsWith(".")) { + data = data.substring(0, data.length() - 1); + } + + // Uppercase type. + type = type.toUpperCase(); + + dns_answers.add([ + "name": name, + "ttl": ttl, + "class": cls, + "type": type, + "data": data + ]); + + if (type == "A" || type == "AAAA") { + dns_resolved_ip.add(data); + } + } + + ctx.dns.answers = dns_answers; + ctx.dns.resolved_ip = dns_resolved_ip; + - rename: + field: json.jsonPayload.responseCode + target_field: gcp.dns.response_code + ignore_missing: true + - set: + field: dns.response_code + copy_from: gcp.dns.response_code + ignore_failure: true + - set: + field: event.outcome + value: success + if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" + - set: + field: event.outcome + value: failure + if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" + - rename: + field: json.jsonPayload.serverLatency + target_field: gcp.dns.server_latency + ignore_missing: true + - rename: + field: json.jsonPayload.sourceIP + target_field: gcp.dns.source_ip + ignore_missing: true + - set: + field: source.address + copy_from: gcp.dns.source_ip + ignore_failure: true + - convert: + field: gcp.dns.source_ip + target_field: source.ip + type: ip + ignore_failure: true + - rename: + field: json.jsonPayload.sourceNetwork + target_field: gcp.dns.source_network + ignore_missing: true + - rename: + field: json.jsonPayload.vmInstanceIdString + target_field: gcp.dns.vm_instance_id + ignore_missing: true + - set: + field: cloud.instance.id + copy_from: gcp.dns.vm_instance_id + ignore_failure: true + - rename: + field: json.jsonPayload.vmInstanceName + target_field: gcp.dns.vm_instance_name + ignore_missing: true + - set: + field: cloud.instance.name + copy_from: gcp.dns.vm_instance_name + ignore_failure: true + - gsub: + field: cloud.instance.name + pattern: "^.*[.]" + replacement: "" + ignore_failure: true + - rename: + field: json.jsonPayload.vmProjectId + target_field: gcp.dns.vm_project_id + ignore_missing: true + - rename: + field: json.jsonPayload.vmZoneName + target_field: gcp.dns.vm_zone_name + ignore_missing: true + - set: + field: cloud.availability_zone + copy_from: gcp.dns.vm_zone_name + ignore_failure: true + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/1.9.0/data_stream/dns/fields/agent.yml b/packages/gcp/1.9.0/data_stream/dns/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/1.9.0/data_stream/dns/fields/base-fields.yml b/packages/gcp/1.9.0/data_stream/dns/fields/base-fields.yml new file mode 100755 index 0000000000..bc80931b38 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.dns diff --git a/packages/gcp/1.9.0/data_stream/dns/fields/ecs.yml b/packages/gcp/1.9.0/data_stream/dns/fields/ecs.yml new file mode 100755 index 0000000000..cd7eacb22f --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/fields/ecs.yml @@ -0,0 +1,126 @@ +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/gcp/1.9.0/data_stream/dns/fields/fields.yml b/packages/gcp/1.9.0/data_stream/dns/fields/fields.yml new file mode 100755 index 0000000000..c0a98003d6 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/fields/fields.yml @@ -0,0 +1,48 @@ +- name: gcp.dns + type: group + fields: + - name: auth_answer + type: boolean + description: Authoritative answer. + - name: destination_ip + type: ip + description: Destination IP address, only applicable for forwarding cases. + - name: egress_error + type: keyword + description: Egress proxy error. + - name: protocol + type: keyword + description: Protocol TCP or UDP. + - name: query_name + type: keyword + description: DNS query name. + - name: query_type + type: keyword + description: DNS query type. + - name: rdata + type: keyword + description: DNS answer in presentation format, truncated to 260 bytes. + - name: response_code + type: keyword + description: Response code. + - name: server_latency + type: integer + description: Server latency. + - name: source_ip + type: ip + description: Source IP address of the query. + - name: source_network + type: keyword + description: Source network of the query. + - name: vm_instance_id + type: keyword + description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. + - name: vm_instance_name + type: keyword + description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. + - name: vm_project_id + type: keyword + description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. + - name: vm_zone_name + type: keyword + description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. diff --git a/packages/gcp/1.9.0/data_stream/dns/manifest.yml b/packages/gcp/1.9.0/data_stream/dns/manifest.yml new file mode 100755 index 0000000000..c8190efa2e --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/manifest.yml @@ -0,0 +1,58 @@ +type: logs +title: Google Cloud Platform (GCP) DNS logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-dns + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-dns + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-dns + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/1.9.0/data_stream/dns/sample_event.json b/packages/gcp/1.9.0/data_stream/dns/sample_event.json new file mode 100755 index 0000000000..10349b6d73 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/dns/sample_event.json @@ -0,0 +1,100 @@ +{ + "@timestamp": "2022-01-23T09:16:05.341Z", + "agent": { + "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "europe-west2-a", + "instance": { + "id": "8340998530665147", + "name": "instance" + }, + "project": { + "id": "project" + }, + "provider": "gcp", + "region": "europe-west2" + }, + "data_stream": { + "dataset": "gcp.dns", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "127.0.0.1", + "name": "elastic.co", + "ttl": "300", + "type": "A" + } + ], + "question": { + "name": "elastic.co", + "registered_domain": "elastic.co", + "top_level_domain": "co", + "type": "A" + }, + "resolved_ip": [ + "127.0.0.1" + ], + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-05-20T07:25:43.755Z", + "dataset": "gcp.dns", + "id": "vwroyze8pg7y", + "ingested": "2022-05-20T07:25:44Z", + "kind": "event", + "outcome": "success" + }, + "gcp": { + "dns": { + "auth_answer": true, + "protocol": "UDP", + "query_name": "elastic.co.", + "query_type": "A", + "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", + "response_code": "NOERROR", + "server_latency": 14, + "source_ip": "10.154.0.3", + "source_network": "default", + "vm_instance_id": "8340998530665147", + "vm_instance_name": "694119234537.instance", + "vm_project_id": "project", + "vm_zone_name": "europe-west2-a" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" + }, + "network": { + "transport": "udp" + }, + "source": { + "address": "10.154.0.3", + "ip": "10.154.0.3" + }, + "tags": [ + "forwarded", + "gcp-dns" + ] +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.0/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/1.9.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7dceda4c2c --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,410 @@ +--- +description: Pipeline for Google Cloud Firewall Logs + +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - community_id: + source_ip: json.jsonPayload.connection.src_ip + source_port: json.jsonPayload.connection.src_port + destination_ip: json.jsonPayload.connection.dest_ip + destination_port: json.jsonPayload.connection.dest_port + iana_number: json.jsonPayload.connection.protocol + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 + - set: + field: event.kind + value: event + - set: + field: event.category + value: network + - set: + field: event.action + value: firewall-rule + - set: + field: cloud.provider + value: gcp + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true + - rename: + field: json.resource.labels.subnetwork_name + target_field: network.name + ignore_missing: true + - set: + field: event.id + copy_from: json.insertId + ignore_empty_value: true + ignore_failure: true + - rename: + field: json.jsonPayload.disposition + target_field: event.type + if: ctx?.json?.jsonPayload?.disposition != null + - set: + field: event.type + value: connection + if: ctx?.event?.type != null + - lowercase: + field: event.type + - set: + field: network.direction + value: inbound + if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" + - set: + field: network.direction + value: outbound + if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" + - set: + field: network.direction + value: unknown + if: ctx?.network?.direction == null + - rename: + field: json.jsonPayload.vpc + target_field: json.jsonPayload.src_vpc + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.instance + target_field: json.jsonPayload.src_instance + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.location + target_field: json.jsonPayload.src_location + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_vpc + target_field: json.jsonPayload.dest_vpc + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_instance + target_field: json.jsonPayload.dest_instance + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_location + target_field: json.jsonPayload.dest_location + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.vpc + target_field: json.jsonPayload.dest_vpc + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.instance + target_field: json.jsonPayload.dest_instance + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.location + target_field: json.jsonPayload.dest_location + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_vpc + target_field: json.jsonPayload.src_vpc + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_instance + target_field: json.jsonPayload.src_instance + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_location + target_field: json.jsonPayload.src_location + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.connection.protocol + target_field: network.iana_number + ignore_missing: true + - convert: + field: network.iana_number + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - rename: + field: json.jsonPayload.connection.dest_ip + target_field: destination.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.dest_port + target_field: destination.port + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_ip + target_field: source.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_port + target_field: source.port + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance.vm_name + target_field: source.domain + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance.vm_name + target_field: destination.domain + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.continent + target_field: destination.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.country + target_field: destination.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.region + target_field: destination.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.city + target_field: destination.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.continent + target_field: source.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.country + target_field: source.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.region + target_field: source.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.city + target_field: source.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance + target_field: gcp.destination.instance + ignore_missing: true + - rename: + field: json.jsonPayload.dest_vpc + target_field: gcp.destination.vpc + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance + target_field: gcp.source.instance + ignore_missing: true + - rename: + field: json.jsonPayload.src_vpc + target_field: gcp.source.vpc + ignore_missing: true + - rename: + field: json.jsonPayload.rule_details.reference + target_field: rule.name + ignore_missing: true + - set: + field: source.ip + value: "{{source.address}}" + if: ctx?.source?.address != null + ignore_failure: true + - set: + field: destination.ip + value: "{{destination.address}}" + if: ctx?.destination?.address != null + ignore_failure: true + - convert: + field: gcp.source.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.destination.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.network?.direction == "inbound" + - set: + field: network.direction + value: internal + if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance + - set: + field: network.type + value: ipv4 + if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") + - set: + field: network.type + value: ipv6 + if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") + - rename: + field: json.jsonPayload.rule_details + target_field: gcp.firewall.rule_details + ignore_missing: true + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.source?.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" + - remove: + field: + - gcp.firewall.connection + - gcp.firewall.dest_location + - gcp.firewall.disposition + - gcp.firewall.src_location + - json + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/1.9.0/data_stream/firewall/fields/agent.yml b/packages/gcp/1.9.0/data_stream/firewall/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/1.9.0/data_stream/firewall/fields/base-fields.yml b/packages/gcp/1.9.0/data_stream/firewall/fields/base-fields.yml new file mode 100755 index 0000000000..93e2a6ab3b --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.firewall diff --git a/packages/gcp/1.9.0/data_stream/firewall/fields/ecs.yml b/packages/gcp/1.9.0/data_stream/firewall/fields/ecs.yml new file mode 100755 index 0000000000..54175f3093 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/fields/ecs.yml @@ -0,0 +1,240 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/gcp/1.9.0/data_stream/firewall/fields/fields.yml b/packages/gcp/1.9.0/data_stream/firewall/fields/fields.yml new file mode 100755 index 0000000000..98681562b2 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/fields/fields.yml @@ -0,0 +1,44 @@ +- name: gcp.firewall + type: group + fields: + - name: rule_details + type: group + fields: + - name: priority + type: long + description: The priority for the firewall rule. + - name: action + type: keyword + description: Action that the rule performs on match. + - name: direction + type: keyword + description: Direction of traffic that matches this rule. + - name: reference + type: keyword + description: Reference to the firewall rule. + - name: source_range + type: keyword + description: List of source ranges that the firewall rule applies to. + - name: destination_range + type: keyword + description: List of destination ranges that the firewall applies to. + - name: source_tag + type: keyword + description: | + List of all the source tags that the firewall rule applies to. + - name: target_tag + type: keyword + description: | + List of all the target tags that the firewall rule applies to. + - name: ip_port_info + type: array + description: | + List of ip protocols and applicable port ranges for rules. + - name: source_service_account + type: keyword + description: | + List of all the source service accounts that the firewall rule applies to. + - name: target_service_account + type: keyword + description: | + List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/1.9.0/data_stream/firewall/fields/package-fields.yml b/packages/gcp/1.9.0/data_stream/firewall/fields/package-fields.yml new file mode 100755 index 0000000000..88482fd9c1 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/fields/package-fields.yml @@ -0,0 +1,63 @@ +- name: gcp + type: group + fields: + - name: destination.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: destination.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. + - name: source.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: source.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. diff --git a/packages/gcp/1.9.0/data_stream/firewall/manifest.yml b/packages/gcp/1.9.0/data_stream/firewall/manifest.yml new file mode 100755 index 0000000000..4d0f663192 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/manifest.yml @@ -0,0 +1,58 @@ +type: logs +title: Google Cloud Platform (GCP) firewall logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-firewall + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-firewall + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-firewall + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/1.9.0/data_stream/firewall/sample_event.json b/packages/gcp/1.9.0/data_stream/firewall/sample_event.json new file mode 100755 index 0000000000..feeb2644cf --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/firewall/sample_event.json @@ -0,0 +1,120 @@ +{ + "@timestamp": "2019-10-30T13:52:42.191Z", + "agent": { + "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "test-beats" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.42.0.2", + "domain": "test-windows", + "ip": "10.42.0.2", + "port": 3389 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": "network", + "created": "2022-05-20T07:26:27.445Z", + "dataset": "gcp.firewall", + "id": "1f21ciqfpfssuo", + "ingested": "2022-05-20T07:26:28Z", + "kind": "event", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "test-beats", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "test-beats", + "subnetwork_name": "windows-isolated", + "vpc_name": "windows-isolated" + } + }, + "firewall": { + "rule_details": { + "action": "ALLOW", + "direction": "INGRESS", + "ip_port_info": [ + { + "ip_protocol": "TCP", + "port_range": [ + "3389" + ] + } + ], + "priority": 1000, + "source_range": [ + "0.0.0.0/0" + ], + "target_tag": [ + "allow-rdp" + ] + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" + }, + "network": { + "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", + "direction": "inbound", + "iana_number": "6", + "name": "windows-isolated", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.2.126", + "10.42.0.2" + ] + }, + "rule": { + "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" + }, + "source": { + "address": "192.168.2.126", + "geo": { + "continent_name": "Asia", + "country_name": "omn" + }, + "ip": "192.168.2.126", + "port": 64853 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ] +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.0/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.0/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..594342f345 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,371 @@ +--- +description: Pipeline for Google Cloud VPC Flow Logs + +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - community_id: + source_ip: json.jsonPayload.connection.src_ip + source_port: json.jsonPayload.connection.src_port + destination_ip: json.jsonPayload.connection.dest_ip + destination_port: json.jsonPayload.connection.dest_port + iana_number: json.jsonPayload.connection.protocol + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 + - set: + field: event.kind + value: event + - set: + field: event.category + value: network + - set: + field: event.type + value: connection + - set: + field: event.id + copy_from: json.insertId + ignore_empty_value: true + ignore_failure: true + - set: + field: cloud.provider + value: gcp + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true + - rename: + field: json.jsonPayload.connection.dest_ip + target_field: destination.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.dest_port + target_field: destination.port + ignore_missing: true + - rename: + field: json.jsonPayload.connection.protocol + target_field: network.iana_number + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_ip + target_field: source.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_port + target_field: source.port + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance.vm_name + target_field: source.domain + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance.vm_name + target_field: destination.domain + ignore_missing: true + - rename: + field: json.jsonPayload.bytes_sent + target_field: source.bytes + ignore_missing: true + - rename: + field: json.jsonPayload.packets_sent + target_field: source.packets + ignore_missing: true + - rename: + field: json.jsonPayload.start_time + target_field: event.start + ignore_missing: true + - rename: + field: json.jsonPayload.end_time + target_field: event.end + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.continent + target_field: destination.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.country + target_field: destination.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.region + target_field: destination.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.city + target_field: destination.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.continent + target_field: source.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.country + target_field: source.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.region + target_field: source.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.city + target_field: source.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance + target_field: gcp.destination.instance + ignore_missing: true + - rename: + field: json.jsonPayload.dest_vpc + target_field: gcp.destination.vpc + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance + target_field: gcp.source.instance + ignore_missing: true + - rename: + field: json.jsonPayload.src_vpc + target_field: gcp.source.vpc + ignore_missing: true + - convert: + field: json.jsonPayload.rtt_msec + target_field: json.jsonPayload.rtt.ms + type: long + ignore_missing: true + - rename: + field: json.jsonPayload + target_field: gcp.vpcflow + ignore_missing: true + - convert: + field: source.bytes + type: long + ignore_missing: true + - convert: + field: source.packets + type: long + ignore_missing: true + - convert: + field: network.iana_number + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - remove: + field: + - gcp.vpcflow.rtt_msec + - gcp.vpcflow.connection + - gcp.vpcflow.dest_location + - gcp.vpcflow.src_location + - json + ignore_missing: true + - set: + field: source.ip + value: "{{source.address}}" + ignore_failure: true + if: ctx?.source?.address != null + - set: + field: destination.ip + value: "{{destination.address}}" + ignore_failure: true + if: ctx?.destination?.address != null + - convert: + field: gcp.source.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.destination.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: source.bytes + type: long + target_field: network.bytes + ignore_missing: true + - convert: + field: source.packets + type: long + target_field: network.packets + ignore_missing: true + - set: + field: network.direction + value: internal + if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null + - set: + field: network.direction + value: outbound + if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null + - set: + field: network.direction + value: inbound + if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null + - set: + field: network.direction + value: unknown + if: ctx?.network?.direction == null + - set: + field: network.type + value: ipv4 + if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") + - set: + field: network.type + value: ipv6 + if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.source?.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/fields/agent.yml b/packages/gcp/1.9.0/data_stream/vpcflow/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/1.9.0/data_stream/vpcflow/fields/base-fields.yml new file mode 100755 index 0000000000..09f5a3a04a --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.vpcflow diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/1.9.0/data_stream/vpcflow/fields/ecs.yml new file mode 100755 index 0000000000..1fb5a0a066 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/fields/ecs.yml @@ -0,0 +1,262 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/fields/fields.yml b/packages/gcp/1.9.0/data_stream/vpcflow/fields/fields.yml new file mode 100755 index 0000000000..afd0aca3fa --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/fields/fields.yml @@ -0,0 +1,11 @@ +- name: gcp.vpcflow + type: group + fields: + - name: reporter + type: keyword + description: | + The side which reported the flow. Can be either 'SRC' or 'DEST'. + - name: rtt.ms + type: long + description: | + Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/1.9.0/data_stream/vpcflow/fields/package-fields.yml new file mode 100755 index 0000000000..88482fd9c1 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/fields/package-fields.yml @@ -0,0 +1,63 @@ +- name: gcp + type: group + fields: + - name: destination.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: destination.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. + - name: source.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: source.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/manifest.yml b/packages/gcp/1.9.0/data_stream/vpcflow/manifest.yml new file mode 100755 index 0000000000..61718d7823 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/manifest.yml @@ -0,0 +1,58 @@ +type: logs +title: Google Cloud Platform (GCP) vpcflow logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-vpcflow + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-vpcflow + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-vpcflow + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/1.9.0/data_stream/vpcflow/sample_event.json b/packages/gcp/1.9.0/data_stream/vpcflow/sample_event.json new file mode 100755 index 0000000000..3d743d26e5 --- /dev/null +++ b/packages/gcp/1.9.0/data_stream/vpcflow/sample_event.json @@ -0,0 +1,128 @@ +{ + "@timestamp": "2019-06-14T03:50:10.845Z", + "agent": { + "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "my-sample-project" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.vpcflow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "67.43.156.14", + "as": { + "number": 35908 + }, + "domain": "elasticsearch", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "port": 9200 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-05-20T07:27:09.739Z", + "dataset": "gcp.vpcflow", + "end": "2019-06-14T03:49:51.821308944Z", + "id": "ut8lbrffooxyp", + "ingested": "2022-05-20T07:27:10Z", + "kind": "event", + "start": "2019-06-14T03:40:08.469099728Z", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "source": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 3 + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "network": { + "bytes": 15169, + "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", + "direction": "internal", + "iana_number": "6", + "name": "default", + "packets": 92, + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.14" + ] + }, + "source": { + "address": "10.87.40.76", + "bytes": 15169, + "domain": "kibana", + "ip": "10.87.40.76", + "packets": 92, + "port": 33880 + }, + "tags": [ + "forwarded", + "gcp-vpcflow" + ] +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/docs/README.md b/packages/gcp/1.9.0/docs/README.md new file mode 100755 index 0000000000..9e6a1643d4 --- /dev/null +++ b/packages/gcp/1.9.0/docs/README.md @@ -0,0 +1,1159 @@ +# Google Cloud Integration + +## Overview + +The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. + +## Authentication + +To use this Google Cloud Platform (GCP) integration, you need to set up a +*Service Account* with a *Role* and a *Service Account Key* to access data on +your GCP project. + +### Service Account + +First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. + +The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. + +If you haven't already, this might be a good moment to check out the [best +practices for securing service +accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) +guide. + +### Role + +You need to grant your Service Account (SA) access to Google Cloud Platform +resources by assigning a role to the account. In order to assign minimal +privileges, create a custom role that has only the privileges required by Agent. +Those privileges are: + +- `pubsub.subscriptions.consume` +- `pubsub.subscriptions.create` * +- `pubsub.subscriptions.get` +- `pubsub.topics.attachSubscription` * + +\* Only required if Agent is expected to create a new subscription. If you +create the subscriptions yourself you may omit these privileges. + +After you have created the custom role, assign the role to your service account. + +### Service Account Keys + +Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. + +From the list of SA: + +1. Click the one you just created to open the detailed view. +2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. +3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). + +## Configure the Integration Settings + +The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). + +The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. + +### Project Id + +The Project Id is the Google Cloud project ID where your resources exist. + +### Credentials File vs Json + +Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. + +#### Option 1: Credentials File + +Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. + +Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. + +#### Option 2: Credentials JSON + +Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. + +#### Recommendations + +Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. + +## Logs Collection Configuration + +With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. + +### Requirements + +You need to create a few dedicated Google Cloud resources before starting, in detail: + +- Log Sink +- Pub/Sub Topic +- Subscription + +Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. + +Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. + +### On the Google Cloud Console + +At a high level, the steps required are: + +- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. +- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. +- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. +- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. + +This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. + +More example filters for different log types: + +```text +# +# VPC Flow: logs for specific subnet +# +resource.type="gce_subnetwork" AND +log_id("compute.googleapis.com/vpc_flows") AND +resource.labels.subnetwork_name"=[SUBNET_NAME]" + +# +# Audit: Google Compute Engine firewall rule deletion +# +resource.type="gce_firewall_rule" AND +log_id("cloudaudit.googleapis.com/activity") AND +protoPayload.methodName:"firewalls.delete" + +# +# DNS: all DNS queries +# +resource.type="dns_query" + +# +# Firewall: logs for a given country +# +resource.type="gce_subnetwork" AND +log_id("compute.googleapis.com/firewall") AND +jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] +``` + +Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. + +To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. + +### On Kibana + +Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. + +From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: + +- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. +- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). +- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. + +### Troubleshooting + +If you don't see Audit logs showing up, check the Agent logs to see if there are errors. + +Common error types: + +- Missing roles in the Service Account +- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields + +#### Missing Roles in the Service Account + +If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: + +```text +failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. +``` + +Solution: make sure your SA has all the required roles. + +#### Misconfigured Settings + +If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: + +```text +[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. +``` + +Solution: double check the integration settings. + +## Logs + +### Audit + +The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.user.email | User email address. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | +| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | +| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | +| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | +| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | +| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | +| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | +| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | +| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | +| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | +| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | +| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | +| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | +| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | +| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | +| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | +| gcp.audit.request | | flattened | +| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | +| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | +| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | +| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | +| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | +| gcp.audit.response | | flattened | +| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | +| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | +| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | +| gcp.audit.type | Type property. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| orchestrator.api_version | API version being used to carry out the action | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| orchestrator.cluster.version | The version of the cluster. | keyword | +| orchestrator.namespace | Namespace in which the action is taking place. | keyword | +| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | +| orchestrator.resource.name | Name of the resource being acted upon. | keyword | +| orchestrator.resource.type | Type of resource being acted upon. | keyword | +| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.email | User email address. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2019-12-19T00:44:25.051Z", + "agent": { + "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "client": { + "user": { + "email": "xxx@xxx.xxx" + } + }, + "cloud": { + "project": { + "id": "elastic-beats" + }, + "provider": "gcp" + }, + "data_stream": { + "dataset": "gcp.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "beta.compute.instances.aggregatedList", + "agent_id_status": "verified", + "category": [ + "network", + "configuration" + ], + "created": "2022-05-20T07:25:00.534Z", + "dataset": "gcp.audit", + "id": "yonau2dg2zi", + "ingested": "2022-05-20T07:25:01Z", + "kind": "event", + "outcome": "success", + "provider": "data_access", + "type": [ + "access", + "allowed" + ] + }, + "gcp": { + "audit": { + "authentication_info": { + "principal_email": "xxx@xxx.xxx" + }, + "authorization_info": [ + { + "granted": true, + "permission": "compute.instances.list", + "resource_attributes": { + "name": "projects/elastic-beats", + "service": "resourcemanager", + "type": "resourcemanager.projects" + } + } + ], + "method_name": "beta.compute.instances.aggregatedList", + "num_response_items": 61, + "request": { + "@type": "type.googleapis.com/compute.instances.aggregatedList" + }, + "request_metadata": { + "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)" + }, + "resource_location": { + "current_locations": [ + "global" + ] + }, + "resource_name": "projects/elastic-beats/global/instances", + "response": { + "@type": "core.k8s.io/v1.Status", + "apiVersion": "v1", + "details": { + "group": "batch", + "kind": "jobs", + "name": "gsuite-exporter-1589294700", + "uid": "2beff34a-945f-11ea-bacf-42010a80007f" + }, + "kind": "Status", + "status": "Success" + }, + "service_name": "compute.googleapis.com", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" + }, + "service": { + "name": "compute.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "gcp-audit" + ], + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "71.0." + } +} +``` + +### Firewall + +The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | +| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | +| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | +| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | +| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | +| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | +| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `firewall` looks as following: + +```json +{ + "@timestamp": "2019-10-30T13:52:42.191Z", + "agent": { + "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "test-beats" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.42.0.2", + "domain": "test-windows", + "ip": "10.42.0.2", + "port": 3389 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": "network", + "created": "2022-05-20T07:26:27.445Z", + "dataset": "gcp.firewall", + "id": "1f21ciqfpfssuo", + "ingested": "2022-05-20T07:26:28Z", + "kind": "event", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "test-beats", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "test-beats", + "subnetwork_name": "windows-isolated", + "vpc_name": "windows-isolated" + } + }, + "firewall": { + "rule_details": { + "action": "ALLOW", + "direction": "INGRESS", + "ip_port_info": [ + { + "ip_protocol": "TCP", + "port_range": [ + "3389" + ] + } + ], + "priority": 1000, + "source_range": [ + "0.0.0.0/0" + ], + "target_tag": [ + "allow-rdp" + ] + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" + }, + "network": { + "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", + "direction": "inbound", + "iana_number": "6", + "name": "windows-isolated", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.2.126", + "10.42.0.2" + ] + }, + "rule": { + "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" + }, + "source": { + "address": "192.168.2.126", + "geo": { + "continent_name": "Asia", + "country_name": "omn" + }, + "ip": "192.168.2.126", + "port": 64853 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ] +} +``` + +### VPC Flow + +The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | +| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `vpcflow` looks as following: + +```json +{ + "@timestamp": "2019-06-14T03:50:10.845Z", + "agent": { + "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "my-sample-project" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.vpcflow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "67.43.156.14", + "as": { + "number": 35908 + }, + "domain": "elasticsearch", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "port": 9200 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-05-20T07:27:09.739Z", + "dataset": "gcp.vpcflow", + "end": "2019-06-14T03:49:51.821308944Z", + "id": "ut8lbrffooxyp", + "ingested": "2022-05-20T07:27:10Z", + "kind": "event", + "start": "2019-06-14T03:40:08.469099728Z", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "source": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 3 + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "network": { + "bytes": 15169, + "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", + "direction": "internal", + "iana_number": "6", + "name": "default", + "packets": 92, + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.14" + ] + }, + "source": { + "address": "10.87.40.76", + "bytes": 15169, + "domain": "kibana", + "ip": "10.87.40.76", + "packets": 92, + "port": 33880 + }, + "tags": [ + "forwarded", + "gcp-vpcflow" + ] +} +``` + +### DNS + +The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.dns.auth_answer | Authoritative answer. | boolean | +| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | +| gcp.dns.egress_error | Egress proxy error. | keyword | +| gcp.dns.protocol | Protocol TCP or UDP. | keyword | +| gcp.dns.query_name | DNS query name. | keyword | +| gcp.dns.query_type | DNS query type. | keyword | +| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | +| gcp.dns.response_code | Response code. | keyword | +| gcp.dns.server_latency | Server latency. | integer | +| gcp.dns.source_ip | Source IP address of the query. | ip | +| gcp.dns.source_network | Source network of the query. | keyword | +| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `dns` looks as following: + +```json +{ + "@timestamp": "2022-01-23T09:16:05.341Z", + "agent": { + "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "europe-west2-a", + "instance": { + "id": "8340998530665147", + "name": "instance" + }, + "project": { + "id": "project" + }, + "provider": "gcp", + "region": "europe-west2" + }, + "data_stream": { + "dataset": "gcp.dns", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "127.0.0.1", + "name": "elastic.co", + "ttl": "300", + "type": "A" + } + ], + "question": { + "name": "elastic.co", + "registered_domain": "elastic.co", + "top_level_domain": "co", + "type": "A" + }, + "resolved_ip": [ + "127.0.0.1" + ], + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-05-20T07:25:43.755Z", + "dataset": "gcp.dns", + "id": "vwroyze8pg7y", + "ingested": "2022-05-20T07:25:44Z", + "kind": "event", + "outcome": "success" + }, + "gcp": { + "dns": { + "auth_answer": true, + "protocol": "UDP", + "query_name": "elastic.co.", + "query_type": "A", + "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", + "response_code": "NOERROR", + "server_latency": 14, + "source_ip": "10.154.0.3", + "source_network": "default", + "vm_instance_id": "8340998530665147", + "vm_instance_name": "694119234537.instance", + "vm_project_id": "project", + "vm_zone_name": "europe-west2-a" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" + }, + "network": { + "transport": "udp" + }, + "source": { + "address": "10.154.0.3", + "ip": "10.154.0.3" + }, + "tags": [ + "forwarded", + "gcp-dns" + ] +} +``` diff --git a/packages/gcp/1.9.0/docs/audit.md b/packages/gcp/1.9.0/docs/audit.md new file mode 100755 index 0000000000..2e8c6995f7 --- /dev/null +++ b/packages/gcp/1.9.0/docs/audit.md @@ -0,0 +1,277 @@ +# Audit + +## Logs + +The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.user.email | User email address. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | +| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | +| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | +| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | +| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | +| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | +| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | +| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | +| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | +| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | +| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | +| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | +| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | +| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | +| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | +| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | +| gcp.audit.request | | flattened | +| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | +| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | +| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | +| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | +| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | +| gcp.audit.response | | flattened | +| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | +| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | +| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | +| gcp.audit.type | Type property. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| orchestrator.api_version | API version being used to carry out the action | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| orchestrator.cluster.version | The version of the cluster. | keyword | +| orchestrator.namespace | Namespace in which the action is taking place. | keyword | +| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | +| orchestrator.resource.name | Name of the resource being acted upon. | keyword | +| orchestrator.resource.type | Type of resource being acted upon. | keyword | +| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.email | User email address. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2019-12-19T00:44:25.051Z", + "agent": { + "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "client": { + "user": { + "email": "xxx@xxx.xxx" + } + }, + "cloud": { + "project": { + "id": "elastic-beats" + }, + "provider": "gcp" + }, + "data_stream": { + "dataset": "gcp.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "beta.compute.instances.aggregatedList", + "agent_id_status": "verified", + "category": [ + "network", + "configuration" + ], + "created": "2022-05-20T07:25:00.534Z", + "dataset": "gcp.audit", + "id": "yonau2dg2zi", + "ingested": "2022-05-20T07:25:01Z", + "kind": "event", + "outcome": "success", + "provider": "data_access", + "type": [ + "access", + "allowed" + ] + }, + "gcp": { + "audit": { + "authentication_info": { + "principal_email": "xxx@xxx.xxx" + }, + "authorization_info": [ + { + "granted": true, + "permission": "compute.instances.list", + "resource_attributes": { + "name": "projects/elastic-beats", + "service": "resourcemanager", + "type": "resourcemanager.projects" + } + } + ], + "method_name": "beta.compute.instances.aggregatedList", + "num_response_items": 61, + "request": { + "@type": "type.googleapis.com/compute.instances.aggregatedList" + }, + "request_metadata": { + "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)" + }, + "resource_location": { + "current_locations": [ + "global" + ] + }, + "resource_name": "projects/elastic-beats/global/instances", + "response": { + "@type": "core.k8s.io/v1.Status", + "apiVersion": "v1", + "details": { + "group": "batch", + "kind": "jobs", + "name": "gsuite-exporter-1589294700", + "uid": "2beff34a-945f-11ea-bacf-42010a80007f" + }, + "kind": "Status", + "status": "Success" + }, + "service_name": "compute.googleapis.com", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" + }, + "service": { + "name": "compute.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "gcp-audit" + ], + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "71.0." + } +} +``` diff --git a/packages/gcp/1.9.0/docs/dns.md b/packages/gcp/1.9.0/docs/dns.md new file mode 100755 index 0000000000..1d7e31a900 --- /dev/null +++ b/packages/gcp/1.9.0/docs/dns.md @@ -0,0 +1,196 @@ +# DNS + +## Logs + +The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.dns.auth_answer | Authoritative answer. | boolean | +| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | +| gcp.dns.egress_error | Egress proxy error. | keyword | +| gcp.dns.protocol | Protocol TCP or UDP. | keyword | +| gcp.dns.query_name | DNS query name. | keyword | +| gcp.dns.query_type | DNS query type. | keyword | +| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | +| gcp.dns.response_code | Response code. | keyword | +| gcp.dns.server_latency | Server latency. | integer | +| gcp.dns.source_ip | Source IP address of the query. | ip | +| gcp.dns.source_network | Source network of the query. | keyword | +| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `dns` looks as following: + +```json +{ + "@timestamp": "2022-01-23T09:16:05.341Z", + "agent": { + "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "europe-west2-a", + "instance": { + "id": "8340998530665147", + "name": "instance" + }, + "project": { + "id": "project" + }, + "provider": "gcp", + "region": "europe-west2" + }, + "data_stream": { + "dataset": "gcp.dns", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "127.0.0.1", + "name": "elastic.co", + "ttl": "300", + "type": "A" + } + ], + "question": { + "name": "elastic.co", + "registered_domain": "elastic.co", + "top_level_domain": "co", + "type": "A" + }, + "resolved_ip": [ + "127.0.0.1" + ], + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-05-20T07:25:43.755Z", + "dataset": "gcp.dns", + "id": "vwroyze8pg7y", + "ingested": "2022-05-20T07:25:44Z", + "kind": "event", + "outcome": "success" + }, + "gcp": { + "dns": { + "auth_answer": true, + "protocol": "UDP", + "query_name": "elastic.co.", + "query_type": "A", + "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", + "response_code": "NOERROR", + "server_latency": 14, + "source_ip": "10.154.0.3", + "source_network": "default", + "vm_instance_id": "8340998530665147", + "vm_instance_name": "694119234537.instance", + "vm_project_id": "project", + "vm_zone_name": "europe-west2-a" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" + }, + "network": { + "transport": "udp" + }, + "source": { + "address": "10.154.0.3", + "ip": "10.154.0.3" + }, + "tags": [ + "forwarded", + "gcp-dns" + ] +} +``` diff --git a/packages/gcp/1.9.0/docs/firewall.md b/packages/gcp/1.9.0/docs/firewall.md new file mode 100755 index 0000000000..bfdbb35812 --- /dev/null +++ b/packages/gcp/1.9.0/docs/firewall.md @@ -0,0 +1,253 @@ +# Firewall + +## Logs + +The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | +| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | +| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | +| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | +| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | +| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | +| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `firewall` looks as following: + +```json +{ + "@timestamp": "2019-10-30T13:52:42.191Z", + "agent": { + "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "test-beats" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.42.0.2", + "domain": "test-windows", + "ip": "10.42.0.2", + "port": 3389 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": "network", + "created": "2022-05-20T07:26:27.445Z", + "dataset": "gcp.firewall", + "id": "1f21ciqfpfssuo", + "ingested": "2022-05-20T07:26:28Z", + "kind": "event", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "test-beats", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "test-beats", + "subnetwork_name": "windows-isolated", + "vpc_name": "windows-isolated" + } + }, + "firewall": { + "rule_details": { + "action": "ALLOW", + "direction": "INGRESS", + "ip_port_info": [ + { + "ip_protocol": "TCP", + "port_range": [ + "3389" + ] + } + ], + "priority": 1000, + "source_range": [ + "0.0.0.0/0" + ], + "target_tag": [ + "allow-rdp" + ] + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" + }, + "network": { + "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", + "direction": "inbound", + "iana_number": "6", + "name": "windows-isolated", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.2.126", + "10.42.0.2" + ] + }, + "rule": { + "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" + }, + "source": { + "address": "192.168.2.126", + "geo": { + "continent_name": "Asia", + "country_name": "omn" + }, + "ip": "192.168.2.126", + "port": 64853 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ] +} +``` diff --git a/packages/gcp/1.9.0/docs/vpcflow.md b/packages/gcp/1.9.0/docs/vpcflow.md new file mode 100755 index 0000000000..05973abc33 --- /dev/null +++ b/packages/gcp/1.9.0/docs/vpcflow.md @@ -0,0 +1,258 @@ +# VPC Flow + +## Logs + +The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | +| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `vpcflow` looks as following: + +```json +{ + "@timestamp": "2019-06-14T03:50:10.845Z", + "agent": { + "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "my-sample-project" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.vpcflow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "67.43.156.14", + "as": { + "number": 35908 + }, + "domain": "elasticsearch", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "port": 9200 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-05-20T07:27:09.739Z", + "dataset": "gcp.vpcflow", + "end": "2019-06-14T03:49:51.821308944Z", + "id": "ut8lbrffooxyp", + "ingested": "2022-05-20T07:27:10Z", + "kind": "event", + "start": "2019-06-14T03:40:08.469099728Z", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "source": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 3 + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "network": { + "bytes": 15169, + "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", + "direction": "internal", + "iana_number": "6", + "name": "default", + "packets": 92, + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.14" + ] + }, + "source": { + "address": "10.87.40.76", + "bytes": 15169, + "domain": "kibana", + "ip": "10.87.40.76", + "packets": 92, + "port": 33880 + }, + "tags": [ + "forwarded", + "gcp-vpcflow" + ] +} +``` diff --git a/packages/gcp/1.9.0/img/filebeat-gcp-audit.png b/packages/gcp/1.9.0/img/filebeat-gcp-audit.png new file mode 100755 index 0000000000..4f68932e9f Binary files /dev/null and b/packages/gcp/1.9.0/img/filebeat-gcp-audit.png differ diff --git a/packages/gcp/1.9.0/img/logo_gcp.svg b/packages/gcp/1.9.0/img/logo_gcp.svg new file mode 100755 index 0000000000..75e139f9b2 --- /dev/null +++ b/packages/gcp/1.9.0/img/logo_gcp.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + diff --git a/packages/gcp/1.9.0/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/1.9.0/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json new file mode 100755 index 0000000000..fd857ca086 --- /dev/null +++ b/packages/gcp/1.9.0/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "Overview of the audit log data from Google Cloud.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs GCP] Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", + "type": "search" + }, + { + "id": "logs-*", + "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", + "type": "search" + }, + { + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/1.9.0/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json new file mode 100755 index 0000000000..0462344e04 --- /dev/null +++ b/packages/gcp/1.9.0/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "description": "Overview of the firewall log data from Google Cloud.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs GCP] Firewall", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/1.9.0/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json new file mode 100755 index 0000000000..46cef5aac9 --- /dev/null +++ b/packages/gcp/1.9.0/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "description": "Overview of the VPC flow log data from Google Cloud.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs GCP] VPC Flow", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/1.9.0/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json new file mode 100755 index 0000000000..3e96491081 --- /dev/null +++ b/packages/gcp/1.9.0/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "user.email", + "service.name", + "gcp.audit.type", + "event.action", + "event.outcome", + "source.ip", + "source.geo.region_name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [], + "title": "Audit [Logs GCP]", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/1.9.0/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json new file mode 100755 index 0000000000..5f9cb58c69 --- /dev/null +++ b/packages/gcp/1.9.0/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json @@ -0,0 +1,11 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "All assets to monitor GCP", + "name": "GCP" + }, + "coreMigrationVersion": "7.17.0", + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/gcp/1.9.0/manifest.yml b/packages/gcp/1.9.0/manifest.yml new file mode 100755 index 0000000000..2fb47f814a --- /dev/null +++ b/packages/gcp/1.9.0/manifest.yml @@ -0,0 +1,64 @@ +name: gcp +title: Google Cloud Platform +version: "1.9.0" +release: ga +description: Collect logs from Google Cloud Platform with Elastic Agent. +type: integration +icons: + - src: /img/logo_gcp.svg + title: logo gcp + size: 32x32 + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: + - google_cloud + - cloud + - network + - security +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/filebeat-gcp-audit.png + title: filebeat gcp audit + size: 1702x996 + type: image/png +policy_templates: + - name: gcp + title: Google Cloud Platform (GCP) logs + description: Collect logs from Google Cloud Platform (GCP) instances + inputs: + - type: gcp-pubsub + vars: + - name: alternative_host + type: text + title: Alternative host + multi: false + required: false + show_user: false + - name: project_id + type: text + title: Project Id + description: Your Google Cloud project ID where the resources exist. + multi: false + required: true + show_user: true + default: SET_PROJECT_NAME + - name: credentials_file + type: text + title: Credentials File + description: The path to the JSON file with the private key. Make sure that the Elastic Agent has at least read-only privileges to this file. + multi: false + required: false + show_user: true + - name: credentials_json + type: text + title: Credentials JSON + description: The content of the JSON file you downloaded from Google Cloud Platform. + multi: false + required: false + show_user: true + title: "Collect Google Cloud Platform (GCP) audit, firewall and vpcflow logs (input: gcp-pubsub)" + description: "Collecting audit, firewall and vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" +owner: + github: elastic/security-external-integrations diff --git a/packages/httpjson/1.2.2/changelog.yml b/packages/httpjson/1.2.2/changelog.yml new file mode 100755 index 0000000000..0f31eaa45d --- /dev/null +++ b/packages/httpjson/1.2.2/changelog.yml @@ -0,0 +1,30 @@ +- version: "1.2.2" + changes: + - description: Fixes rendering issue for custom oauth2 scopes + type: bugfix + link: https://github.com/elastic/integrations/pull/3295 +- version: "1.2.1" + changes: + - description: Adds missing `delegated_account` option for Google Oauth2 + type: bugfix + link: https://github.com/elastic/integrations/pull/3256 +- version: "1.2.0" + changes: + - description: Update ECS to 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.1.1" + changes: + - description: Fixes typo in config template + type: bugfix + link: https://github.com/elastic/integrations/pull/2883 +- version: "1.1.0" + changes: + - description: Fixes issues with certain configuration fields not working + type: bugfix + link: https://github.com/elastic/integrations/pull/2815 +- version: "1.0.0" + changes: + - description: Initial Implementation + type: enhancement + link: https://github.com/elastic/integrations/pull/2154 diff --git a/packages/httpjson/1.2.2/data_stream/generic/agent/stream/httpjson.yml.hbs b/packages/httpjson/1.2.2/data_stream/generic/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..8d2fd81d68 --- /dev/null +++ b/packages/httpjson/1.2.2/data_stream/generic/agent/stream/httpjson.yml.hbs @@ -0,0 +1,148 @@ +config_version: 2 +data_stream: + dataset: {{data_stream.dataset}} +interval: {{request_interval}} +{{#unless oauth_id}} +{{#if username}} +auth.basic.user: {{username}} +{{/if}} +{{#if password}} +auth.basic.password: {{password}} +{{/if}} +{{/unless}} +{{#if pipeline}} +pipeline: {{pipeline}} +{{/if}} +{{#if oauth_id}} +{{#if oauth_id}} +auth.oauth2.client.id: {{oauth_id}} +{{/if}} +{{#if oauth_secret}} +auth.oauth2.client.secret: {{oauth_secret}} +{{/if}} +{{#if oauth_token_url}} +auth.oauth2.token_url: {{oauth_token_url}} +{{/if}} +{{#if oauth_provider}} +auth.oauth2.provider: {{oauth_provider}} +{{/if}} +{{#if oauth_scopes}} +auth.oauth2.scopes: +{{#each oauth_scopes as |scope i|}} + - {{scope}} +{{/each}} +{{/if}} +{{#if oauth_google_credentials_file}} +auth.oauth2.google.credentials_file: {{oauth_google_credentials_file}} +{{/if}} +{{#if oauth_google_credentials_json}} +auth.oauth2.google.credentials_json: '{{oauth_google_credentials_json}}' +{{/if}} +{{#if oauth_google_jwt_file}} +auth.oauth2.google.jwt_file: {{oauth_google_jwt_file}} +{{/if}} +{{#if oauth_google_delegated_account}} +auth.oauth2.google.delegated_account: {{oauth_google_delegated_account}} +{{/if}} +{{#if oauth_azure_tenant_id}} +auth.oauth2.azure.tenant_id: {{oauth_azure_tenant_id}} +{{/if}} +{{#if oauth_azure_resource}} +auth.oauth2.azure.resource: {{oauth_azure_resource}} +{{/if}} +{{#if oauth_endpoint_params}} +auth.oauth2.endpoint_params: + {{oauth_endpoint_params}} +{{/if}} +{{/if}} + +request.url: {{request_url}} +request.method: {{request_method}} +{{#if request_body}} +request.body: + {{request_body}} +{{/if}} +{{#if request_transforms}} +request.transforms: + {{request_transforms}} +{{/if}} +{{#if request_ssl}} +request.ssl: + {{request_ssl}} +{{/if}} +{{#if request_encode_as}} +request.encode_as: {{request_encode_as}} +{{/if}} +{{#if request_timeout}} +request.timeout: {{request_timeout}} +{{/if}} +{{#if request_proxy_url}} +request.proxy_url: {{request_proxy_url}} +{{/if}} +{{#if request_retry_max_attempts}} +request.retry.max_attempts: {{request_retry_max_attempts}} +{{/if}} +{{#if request_retry_wait_min}} +request.retry.wait_min: {{request_retry_wait_min}} +{{/if}} +{{#if request_retry_wait_max}} +request.retry.wait_max: {{request_retry_wait_max}} +{{/if}} +{{#if request_redirect_forward_headers}} +request.redirect.forward_headers: {{request_redirect_forward_headers}} +{{/if}} +{{#if request_redirect_headers_ban_list}} +request.redirect.headers_ban_list: +{{#each request_redirect_headers_ban_list as |item i|}} + - {{item}} +{{/each}} +{{/if}} +{{#if request_redirect_max_redirects}} +request.redirect.max_redirects: {{request_redirect_max_redirects}} +{{/if}} +{{#if request_rate_limit_limit}} +request.rate_limit.limit: {{request_rate_limit_limit}} +{{/if}} +{{#if request_rate_limit_reset}} +request.rate_limit.reset: {{request_rate_limit_reset}} +{{/if}} +{{#if request_rate_limit_remaining}} +request.rate_limit.remaining: {{request_rate_limit_remaining}} +{{/if}} + +{{#if response_transforms}} +response.transforms: + {{response_transforms}} +{{/if}} +{{#if response_split}} +response.split: + {{response_split}} +{{/if}} +{{#if response_pagination}} +response.pagination: {{response_pagination}} +{{/if}} +{{#if response_decode_as}} +response.decode_as: {{response_decode_as}} +{{/if}} +{{#if response_request_body_on_pagination}} +response.request_body_on_pagination: {{response_request_body_on_pagination}} +{{/if}} + +{{#if cursor}} +cursor: + {{cursor}} +{{/if}} + +{{#if tags}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/httpjson/1.2.2/data_stream/generic/fields/base-fields.yml b/packages/httpjson/1.2.2/data_stream/generic/fields/base-fields.yml new file mode 100755 index 0000000000..d8277624ff --- /dev/null +++ b/packages/httpjson/1.2.2/data_stream/generic/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: httpjson +- name: event.dataset + type: constant_keyword + description: Event dataset + value: httpjson.generic +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/httpjson/1.2.2/data_stream/generic/fields/beats.yml b/packages/httpjson/1.2.2/data_stream/generic/fields/beats.yml new file mode 100755 index 0000000000..ede6958855 --- /dev/null +++ b/packages/httpjson/1.2.2/data_stream/generic/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: tags + type: keyword + description: User defined tags diff --git a/packages/httpjson/1.2.2/data_stream/generic/fields/ecs.yml b/packages/httpjson/1.2.2/data_stream/generic/fields/ecs.yml new file mode 100755 index 0000000000..87e386ebf3 --- /dev/null +++ b/packages/httpjson/1.2.2/data_stream/generic/fields/ecs.yml @@ -0,0 +1,11 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text diff --git a/packages/httpjson/1.2.2/data_stream/generic/manifest.yml b/packages/httpjson/1.2.2/data_stream/generic/manifest.yml new file mode 100755 index 0000000000..c4a6699d38 --- /dev/null +++ b/packages/httpjson/1.2.2/data_stream/generic/manifest.yml @@ -0,0 +1,340 @@ +title: Custom HTTPJSON Input +type: logs +streams: + - input: httpjson + description: Collect custom data from REST API's + template_path: httpjson.yml.hbs + title: Custom HTTPJSON Input + vars: + - name: data_stream.dataset + type: text + title: Dataset name + description: | + Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). + default: httpjson.generic + required: true + show_user: true + - name: pipeline + type: text + title: Ingest Pipeline + description: | + The Ingest Node pipeline ID to be used by the integration. + required: false + show_user: true + - name: request_url + type: text + title: Request URL + description: i.e. scheme://host:port/path + show_user: true + required: true + default: https://server.example.com:8089/api + - name: request_interval + type: text + title: Request Interval + description: How often the API is polled, supports seconds, minutes and hours. + show_user: true + required: true + default: 1m + - name: request_method + type: text + title: Request HTTP Method + description: Supports either GET or POST + show_user: true + required: true + default: GET + - name: username + type: text + title: Basic Auth Username + show_user: true + required: false + description: The username to be used with Basic Auth headers + - name: password + type: password + title: Basic Auth Password + show_user: true + required: false + description: The password to be used with Basic Auth headers + - name: oauth_id + type: text + title: Oauth2 Client ID + description: Client ID used for Oauth2 authentication + show_user: true + required: false + - name: oauth_secret + type: password + title: Oauth2 Client Secret + description: Client secret used for Oauth2 authentication + show_user: true + required: false + - name: oauth_token_url + type: text + title: Oauth2 Token URL + description: The URL endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no oauth_custom variable is set or provider is not specified in oauth_custom variable. + show_user: true + required: false + - name: request_body + type: yaml + title: Request Body + description: An optional HTTP body if the request method is POST. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_body) + show_user: true + multi: false + required: false + default: | + #query: + # bool: + # filter: + # term: + # type: authentication + - name: request_transforms + type: yaml + title: Request Transforms + description: Optional transformations to perform on the request before it is sent. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#request-transforms). + show_user: true + multi: false + required: false + default: | + #- set: + # target: body.from + # value: '[[now (parseDuration "-1h")]]' + #- set: + # target: url.params.limit + # value: 10 + - name: response_transforms + type: yaml + title: Response Transforms + description: Optional transformations to perform on the response before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-transforms). + show_user: true + multi: false + required: false + default: | + #- delete: + # target: body.very_confidential + - name: response_split + type: yaml + title: Response Split + description: Optional transformations to perform on the response to split the response into separate documents before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-split). + show_user: true + multi: false + required: false + default: | + #target: body.data + #keep_parent: true + - name: response_pagination + type: yaml + title: Response Pagination + description: Optional settings if pagination is required to retrieve all results. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-pagination). + show_user: true + multi: false + required: false + default: | + #- set: + # target: url.value + # value: http://localhost:9200/_search/scroll + #- set: + # target: url.params.scroll_id + # value: '[[.last_response.body._scroll_id]]' + - name: cursor + type: yaml + title: Custom request cursor + description: | + A cursor is used to keep state between each API request, and can be set to for example the value of something in the response body. + More information can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#cursor). + show_user: true + multi: false + required: false + default: | + #last_requested_at: + # value: '[[now]]' + - name: request_ssl + type: yaml + title: Request SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc, more examples found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) + multi: false + required: false + show_user: false + default: | + #verification_mode: none + - name: request_encode_as + type: text + title: Request Encode As + description: ContentType used for encoding the request body. If set it will force the encoding in the specified format regardless of the Content-Type header value. + show_user: false + multi: false + required: false + - name: request_timeout + type: text + title: Request Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. Default is "30"s. + show_user: false + multi: false + required: false + - name: request_proxy_url + type: text + title: Request Proxy + description: This specifies proxy configuration in the form of `http[s]://:@:`. + show_user: false + multi: false + required: false + - name: request_retry_max_attempts + type: text + title: Request Retry Max Attempts + description: The maximum number of retries for the HTTP client. Default is "5". + show_user: false + multi: false + required: false + - name: request_retry_wait_min + type: text + title: Request Retry Wait Min + description: The minimum time to wait before a retry is attempted. Default is "1s". + show_user: false + multi: false + required: false + - name: request_retry_wait_max + type: text + title: Request Retry Wait Max + description: The maximum time to wait before a retry is attempted. Default is "60s". + show_user: false + multi: false + required: false + - name: request_redirect_forward_headers + type: bool + title: Request Redirect Forward Headers + description: When set to true request headers are forwarded in case of a redirect. Default is "false". + show_user: false + multi: false + required: false + - name: request_redirect_headers_ban_list + type: text + title: Request Redirect Headers Ban List + description: When Redirect Forward Headers is set to true, all headers except the ones defined in this list will be forwarded. All headers are forwarded by default. + show_user: false + multi: true + required: false + - name: request_redirect_max_redirects + type: text + title: Request Redirect Max Redirects + description: The maximum number of redirects to follow for a request. Default is "10". + show_user: false + multi: false + required: false + - name: request_rate_limit_limit + type: text + title: Request Rate Limit + description: The value of the response that specifies the total limit. It is defined with a Go template value. + show_user: false + multi: false + required: false + - name: request_rate_limit_reset + type: text + title: Request Rate Limit Reset + description: The value of the response that specifies the epoch time when the rate limit will reset. It is defined with a Go template value. + show_user: false + multi: false + required: false + - name: request_rate_limit_remaining + type: text + title: Request Rate Limit Remaining + description: The value of the response that specifies the remaining quota of the rate limit. It is defined with a Go template value. + show_user: false + multi: false + required: false + - name: oauth_provider + type: text + title: Oauth2 Provider + description: Used to configure supported oauth2 providers. Each supported provider will require specific settings. It is not set by default. Supported providers are "azure" and "google". + show_user: false + multi: false + required: false + - name: oauth_scopes + type: text + title: Oauth2 Scopes + description: A list of scopes that will be requested during the oauth2 flow. It is optional for all providers. + show_user: false + multi: true + required: false + - name: oauth_google_credentials_file + type: text + title: Oauth2 Google Credentials File + description: The full path to the credentials file for Google. + show_user: false + multi: false + required: false + - name: oauth_google_credentials_json + type: text + title: Oauth2 Google Credentials JSON + description: Your Google credentials information as raw JSON. + show_user: false + multi: false + required: false + - name: oauth_google_jwt_file + type: text + title: Oauth2 Google JWT File + description: Full path to the JWT Account Key file for Google. + show_user: false + multi: false + required: false + - name: oauth_google_delegated_account + type: text + title: Oauth2 Google Delegated account + description: Email of the delegated account used to create the credentials (usually an admin). + show_user: false + multi: false + required: false + - name: oauth_azure_tenant_id + type: text + title: Oauth2 Azure Tenant ID + description: Optional setting used for authentication when using Azure provider. Since it is used in the process to generate the token_url, it can’t be used in combination with it. + show_user: false + multi: false + required: false + - name: oauth_azure_resource + type: text + title: Oauth2 Azure Resource + description: Optional setting for the accessed WebAPI resource when using azure provider. + show_user: false + multi: false + required: false + - name: oauth_endpoint_params + type: yaml + title: Oauth2 Endpoint Params + description: Set of values that will be sent on each request to the token_url. Each param key can have multiple values. Can be set for all providers except google. + show_user: false + multi: false + required: false + default: | + #Param1: + # - ValueA + # - ValueB + #Param2: + # - Value + - name: response_decode_as + type: text + title: Response decode settings + description: | + ContentType used for decoding the response body. Supported values: application/json, application/x-ndjson. By default it will use what is in the response Content-Type header. + show_user: false + required: false + - name: response_request_body_on_pagination + type: bool + title: Include request body on Pagination + description: | + If set to true, the values in request.body are sent with pagination requests. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded diff --git a/packages/httpjson/1.2.2/data_stream/generic/sample_event.json b/packages/httpjson/1.2.2/data_stream/generic/sample_event.json new file mode 100755 index 0000000000..97f5b56929 --- /dev/null +++ b/packages/httpjson/1.2.2/data_stream/generic/sample_event.json @@ -0,0 +1,36 @@ +{ + "@timestamp": "2022-03-10T12:47:55.098Z", + "agent": { + "ephemeral_id": "03c96875-43cc-4abc-b998-99527ff31de3", + "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "httpjson.generic", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-03-10T12:47:55.098Z", + "dataset": "httpjson.generic", + "ingested": "2022-03-10T12:47:56Z" + }, + "input": { + "type": "httpjson" + }, + "message": "{\"message\":\"success\",\"page\":2}", + "tags": [ + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/httpjson/1.2.2/docs/README.md b/packages/httpjson/1.2.2/docs/README.md new file mode 100755 index 0000000000..f575d64220 --- /dev/null +++ b/packages/httpjson/1.2.2/docs/README.md @@ -0,0 +1,20 @@ +# Custom HTTPJSON input integration + +The custom HTTPJSON input integration is used to ingest data from custom RESTful API's that do not currently have an existing integration. + +The input itself supports sending both GET and POST requests, transform requests and responses during runtime, paginate and keep a running state on information from the last collected events. + +## Configuration + +The extensive documentation for the input are currently available [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html). + +The most commonly used configuration options are available on the main integration page, while more advanced and customizable options currently resides under the "Advanced options" part of the integration settings page. + +Configuration is split into three main categories, Request, Response, and Cursor. + +The request part of the configuration handles points like which URL endpoint to communicate with, the request body, specific transformations that have to happen before a request is sent out and some custom options like request proxy, timeout and similar options. + +The response part of the configuration handles options like transformation, rate limiting, pagination, and splitting the response into different documents before it is sent to Elasticsearch. + +The cursor part of the configuration is used when there is a need to keep state between each of the API requests, for example if a timestamp is returned in the response, that should be used as a filter in the next request after that, the cursor is a place where this is stored. + diff --git a/packages/httpjson/1.2.2/manifest.yml b/packages/httpjson/1.2.2/manifest.yml new file mode 100755 index 0000000000..91bd750cf3 --- /dev/null +++ b/packages/httpjson/1.2.2/manifest.yml @@ -0,0 +1,22 @@ +format_version: 1.0.0 +name: httpjson +title: Custom HTTPJSON Input +description: Collect custom data from REST API's with Elastic Agent. +type: integration +version: 1.2.2 +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +license: basic +categories: + - custom +policy_templates: + - name: generic + title: Custom HTTPJSON Input + description: Collect custom data from REST API's + inputs: + - type: httpjson + title: Collect custom data from REST API's + description: Collect custom data from REST API's +owner: + github: elastic/security-external-integrations diff --git a/packages/iptables/0.10.1/changelog.yml b/packages/iptables/0.10.1/changelog.yml new file mode 100755 index 0000000000..679f271486 --- /dev/null +++ b/packages/iptables/0.10.1/changelog.yml @@ -0,0 +1,119 @@ +# newer versions go on top +- version: "0.10.1" + changes: + - description: Update sample event based on current pipeline. + type: bugfix + link: https://github.com/elastic/integrations/pull/3358 +- version: "0.10.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3263 +- version: "0.9.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "0.8.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.8.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2414 +- version: "0.7.0" + changes: + - description: Add journald input support and change release stability to beta. + type: enhancement + link: https://github.com/elastic/integrations/pull/2525 + - description: Format MAC addresses as RFC 7042. + type: breaking-change + link: https://github.com/elastic/integrations/pull/2525 +- version: "0.6.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.6.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.6.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2272 +- version: "0.5.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2101 +- version: "0.5.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1970 +- version: "0.5.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1825 +- version: "0.5.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1665 +- version: "0.4.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1484 +- version: '0.4.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1391 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1266 +- version: "0.2.1-next" + changes: + - description: Sync ingest pipeline with Filebeat + type: enhancement + link: https://github.com/elastic/integrations/pull/1094 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1057 +- version: "0.1.0" + changes: + - description: Move all processing to Ingest Node. Switch from syslog input to udp. + type: enhancement + link: https://github.com/elastic/integrations/pull/665 +- version: "0.0.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/852 +- version: "0.0.3" + changes: + - description: Fix compatibility with Kibana + type: enhancement + link: https://github.com/elastic/integrations/pull/740 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/446 diff --git a/packages/iptables/0.10.1/data_stream/log/agent/stream/journald.yml.hbs b/packages/iptables/0.10.1/data_stream/log/agent/stream/journald.yml.hbs new file mode 100755 index 0000000000..151c7583f7 --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/agent/stream/journald.yml.hbs @@ -0,0 +1,27 @@ +condition: ${host.platform} == 'linux' + +{{#if paths}} +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +{{/if}} + +include_matches: +- _TRANSPORT=kernel + +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +{{#if processors}} +processors: +- drop_event: + when.not.regexp.message: 'IN=[^ ]* OUT=' +{{processors}} +{{/if}} diff --git a/packages/iptables/0.10.1/data_stream/log/agent/stream/log.yml.hbs b/packages/iptables/0.10.1/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..9fd98fa47e --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/iptables/0.10.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/iptables/0.10.1/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..0b127c740d --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ \ No newline at end of file diff --git a/packages/iptables/0.10.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/iptables/0.10.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0e7a4fe0b5 --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,378 @@ +--- +description: Pipeline for iptables logs. +processors: + - set: + field: ecs.version + value: '8.2.0' + + # These two fields are treated as immutable in the case reindexing. + - set: + field: event.original + copy_from: message + override: false + - set: + field: event.created + copy_from: '@timestamp' + override: false + + # Journald input field cleanup. + - remove: + field: + - syslog.priority + - syslog.facility + ignore_missing: true + - rename: + field: syslog.pid + target_field: log.syslog.pid + ignore_missing: true + - rename: + field: syslog.identifier + target_field: log.syslog.identifier + ignore_missing: true + - remove: + description: Cleanup an empty syslog object. + if: ctx?.syslog != null && ctx.syslog instanceof Map && ctx.syslog.isEmpty() + field: syslog + + # Parse the header if it is syslog, otherwise treat the whole value as 'message'. + - grok: + description: Parse syslog header. + field: event.original + patterns: + - '^%{ECS_SYSLOG_PRI}%{SYSLOG_TIMESTAMP} %{GREEDYDATA:message}' + - '^%{SYSLOG_TIMESTAMP} %{GREEDYDATA:message}' + pattern_definitions: + ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' + on_failure: + - set: + field: message + copy_from: event.original + + - grok: + field: message + patterns: + - '%{IPTABLES_HOSTNAME}%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' + - '%{IPTABLES_ACTION}%{GREEDYDATA}%{IPTABLES}%{SPACE}' + - '%{IPTABLES_HOSTNAME}%{SPACE}%{UDM_LOGS}%{IPTABLES_IP_PAYLOAD}' + - '%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' + - '%{GREEDYDATA}%{IPTABLES}%{SPACE}' + pattern_definitions: + ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority>' + IPTABLES_HOSTNAME: '%{HOSTNAME:observer.name}%{SPACE}(%{NOTSPACE}%{SPACE})?kernel:' + IPTABLES_ACTION: '(:?%{WORD:event.action}:|%{IPTABLES_HOSTNAME}%{SPACE}iptables%{SPACE}%{WORD:event.action}|%{IPTABLES_HOSTNAME})' + UNSIGNED_INT: '[0-9]+' + ETHTYPE: (?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}) + ETHTYPE_DISCARD: (?::[A-Fa-f0-9]{2})* + NETFILTERMAC: (?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?) + IPTABLES_ETHERNET: 'IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: + MAC=%{NETFILTERMAC})?' + IPTABLES_PORT_PAIR: SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int} + IPTABLES_TCP_FLAGS: (CWR |ECE |URG |ACK |PSH |RST |SYN |FIN )* + IPTABLES_TCP_SEQ: SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int} + IPTABLES_TCP_DETAILS: (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} + RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags} + IPTABLES_INCOMPLETE_PACKET: INCOMPLETE \[%{UNSIGNED_INT:iptables.incomplete_bytes:int} + bytes\] + IPTABLES_UDP_DETAILS: LEN=%{UNSIGNED_INT:iptables.udp.length:int} + IPTABLES_ICMP_EXTRA_ECHO: ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int} + IPTABLES_ICMP_EXTRA_PARAM: PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int} + IPTABLES_ICMP_EXTRA_REDIRECT: GATEWAY=%{IP:iptables.icmp.redirect} + IPTABLES_ICMP_EXTRA: ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))* + IPTABLES_ICMP_DETAILS: TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( + %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA}) + IPTABLES_PROTOCOL: PROTO=(?[a-zA-Z0-9]+) + IPTABLES_IP_PAYLOAD: '%{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?' + IPTABLES_IP_FRAGFLAG: ((?<= )(CE|DF|MF))* + IPTABLES_IP_START: 'SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} + TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} + TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: + %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?' + IPTABLES_IP: '%{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}' + IPTABLES_IPV6_START: SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} + TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} + FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int} + IPTABLES_IPV6: '%{IPTABLES_IPV6_START} %{IPTABLES_IP_PAYLOAD}' + IPTABLES: '%{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}|%{IPTABLES_IPV6})' + UBIQUITI_FIELD: '[^-\]]*' + UBIQUITI_RULESET_NAME: '[^\]]*' + UBIQUITI_LABEL: '%{UBIQUITI_RULESET_NAME:iptables.ubiquiti.rule_set}-%{UBIQUITI_FIELD:iptables.ubiquiti.rule_number}-%{UBIQUITI_FIELD:event.action}' + UDM_LOGS: '(%{UNSIGNED_INT}%{SPACE})?(TTL|TL|L)=(%{UNSIGNED_INT:iptables.ttl:int})%{SPACE}(ID=(%{UNSIGNED_INT:iptables.id:int})%{SPACE})?(DF%{SPACE})?' + - grok: + field: iptables.ubiquiti.rule_set + ignore_missing: true + ignore_failure: true + patterns: + - '%{UBIQUITI_FIELD:iptables.ubiquiti.input_zone}-%{UBIQUITI_FIELD:iptables.ubiquiti.output_zone}' + pattern_definitions: + UBIQUITI_FIELD: '[^-]*' + - date: + if: ctx?._tmp?.timestamp8601 != null + field: _tmp.timestamp8601 + formats: + - ISO8601 + - date: + if: ctx?.event?.timezone == null && ctx?._tmp?.timestamp != null + field: _tmp.timestamp + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + on_failure: + - append: + field: error.message + value: 'date processor error: {{{ _ingest.on_failure_message }}}' + - date: + if: ctx?.event?.timezone != null && ctx?._tmp?.timestamp != null + field: _tmp.timestamp + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + timezone: '{{{ event.timezone }}}' + on_failure: + - append: + field: error.message + value: 'date processor error: {{{ _ingest.on_failure_message }}}' + - set: + field: observer.name + copy_from: hostname + if: ctx?.observer?.name == null && ctx?.hostname != null + - set: + field: observer.hostname + copy_from: hostname + if: ctx?.observer?.name == null && ctx?.hostname != null + - lowercase: + field: network.transport + ignore_missing: true + - lowercase: + field: event.action + ignore_missing: true + + # GeoIP and Autonomous System Enrichment + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + - script: + description: Enrich event with ECS fields. + lang: painless + params: + mappings: + - source: + object: iptables + key: ether_type + destination: + object: network + key: type + map: + 08:00: ipv4 + 86:dd: ipv6 + - source: + object: event + key: action + destination: + object: event + key: action + map: + d: drop + a: accept + - source: + object: event + key: action + destination: + object: event + key: type + map: + drop: denied + accept: allowed + deny: denied + drop_input: denied + - source: + object: network + key: transport + destination: + object: network + key: transport + map: + icmpv6: ipv6-icmp + source: >- + for (action in params.mappings) { + def src = ctx[action.source.object]; + if (src != null) { + Map map = action.map; + String key = src[action.source.key]; + String mapping = map[key]; + if (mapping != null) { + Map dst = ctx[action.destination.object]; + if (dst == null) { + dst = new HashMap(); + ctx[action.destination.object] = dst; + } + dst[action.destination.key] = mapping; + } + } + } + - community_id: + ignore_missing: true + icmp_type: iptables.icmp.type + icmp_code: iptables.icmp.code + - script: + description: Convert bit fields to numbers. + lang: painless + params: + hex_fields_to_convert: + - ether_type + - tos + - precedence_bits + - tcp_reserved_bits + source: >- + def iptables = ctx['iptables']; + if (iptables != null) { + for (key in params.hex_fields_to_convert) { + long value = 0; + def field = iptables[key]; + if (field == null) continue; + char[] hex = field.toLowerCase().toCharArray(); + for (chr in hex) { + long v = -1; + if (chr >= (char) 'a' && chr <= (char) 'f') v = (long) chr - (char) 'a' + 10; + else if (chr >= (char) '0' && chr <= (char) '9') v = (long) chr - (char) '0'; + if (v >= 0) { + value = value * 16 + v; + } + iptables[key] = value; + } + } + } + - set: + field: event.kind + value: event + - append: + field: event.category + value: network + - append: + field: event.type + value: connection + if: ctx?.source?.ip != null && ctx?.destination?.ip != null + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + - append: + field: related.ip + value: "{{{destination.ip}}}" + if: ctx?.destination?.ip != null + allow_duplicates: false + - rename: + field: iptables.tcp_reserved_bits + target_field: iptables.tcp.reserved_bits + ignore_missing: true + - split: + field: iptables.tcp.flags + separator: "\\s+" + ignore_missing: true + - split: + field: iptables.fragment_flags + separator: "\\s+" + ignore_missing: true + - set: + if: ctx?.iptables?.ubiquiti?.output_zone != null + field: observer.egress.zone + copy_from: iptables.ubiquiti.output_zone + - set: + if: ctx?.iptables?.ubiquiti?.input_zone != null + field: observer.ingress.zone + copy_from: iptables.ubiquiti.input_zone + - set: + if: ctx?.iptables?.ubiquiti?.rule_number != null + field: rule.id + copy_from: iptables.ubiquiti.rule_number + - set: + if: ctx?.iptables?.ubiquiti?.rule_set != null + field: rule.name + copy_from: iptables.ubiquiti.rule_set + + # Format source.mac address. + - gsub: + field: source.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true + - gsub: + field: source.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + + # Format destination.mac address. + - gsub: + field: destination.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true + - gsub: + field: destination.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + - uppercase: + field: destination.mac + ignore_missing: true + + - remove: + field: + - _tmp + ignore_failure: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - remove: + field: + - _tmp + ignore_failure: true + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/iptables/0.10.1/data_stream/log/fields/agent.yml b/packages/iptables/0.10.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..589de95acb --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/fields/agent.yml @@ -0,0 +1,213 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: hostname + type: keyword + description: Hostname from syslog header. +- name: log.source.address + type: keyword + description: Source address of the syslog message. +- name: process.program + type: keyword + description: Process from syslog header. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/iptables/0.10.1/data_stream/log/fields/base-fields.yml b/packages/iptables/0.10.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..6610e6239f --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: iptables +- name: event.dataset + type: constant_keyword + description: Event dataset + value: iptables.log +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/iptables/0.10.1/data_stream/log/fields/ecs.yml b/packages/iptables/0.10.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..e08df76c2c --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,176 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/iptables/0.10.1/data_stream/log/fields/fields.yml b/packages/iptables/0.10.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..fcb55ec47a --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/fields/fields.yml @@ -0,0 +1,122 @@ +- name: iptables.ether_type + type: long + description: | + Value of the ethernet type field identifying the network layer protocol. +- name: iptables.flow_label + type: integer + description: | + IPv6 flow label. +- name: iptables.fragment_flags + type: keyword + description: | + IP fragment flags. A combination of CE, DF and MF. +- name: iptables.fragment_offset + type: long + description: | + Offset of the current IP fragment. +- name: iptables.icmp + type: group + fields: + - name: code + type: long + description: | + ICMP code. + - name: id + type: long + description: | + ICMP ID. + - name: parameter + type: long + description: | + ICMP parameter. + - name: redirect + type: ip + description: | + ICMP redirect address. + - name: seq + type: long + description: | + ICMP sequence number. + - name: type + type: long + description: | + ICMP type. +- name: iptables.id + type: long + description: | + Packet identifier. +- name: iptables.incomplete_bytes + type: long + description: | + Number of incomplete bytes. +- name: iptables.input_device + type: keyword + description: | + Device that received the packet. +- name: iptables.precedence_bits + type: short + description: | + IP precedence bits. +- name: iptables.tos + type: long + description: | + IP Type of Service field. +- name: iptables.length + type: long + description: | + Packet length. +- name: iptables.output_device + type: keyword + description: | + Device that output the packet. +- name: iptables.tcp + type: group + fields: + - name: flags + type: keyword + description: | + TCP flags. + - name: reserved_bits + type: short + description: | + TCP reserved bits. + - name: seq + type: long + description: | + TCP sequence number. + - name: ack + type: long + description: | + TCP Acknowledgment number. + - name: window + type: long + description: | + Advertised TCP window size. +- name: iptables.ttl + type: integer + description: | + Time To Live field. +- name: iptables.udp + type: group + fields: + - name: length + type: long + description: | + Length of the UDP header and payload. +- name: iptables.ubiquiti + type: group + fields: + - name: input_zone + type: keyword + description: | + Input zone. + - name: output_zone + type: keyword + description: | + Output zone. + - name: rule_number + type: keyword + description: The rule number within the rule set. + - name: rule_set + type: keyword + description: The rule set name. diff --git a/packages/iptables/0.10.1/data_stream/log/fields/journald-input.yml b/packages/iptables/0.10.1/data_stream/log/fields/journald-input.yml new file mode 100755 index 0000000000..e6c7f307e7 --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/fields/journald-input.yml @@ -0,0 +1,19 @@ +- name: journald.host.boot_id + type: keyword + description: > + The kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string. + +- name: systemd.transport + type: keyword + description: > + How the entry was received by the journal service. + +- name: log.syslog.identifier + type: keyword + description: > + Identifier (usually process) contained in the syslog header. + +- name: log.syslog.pid + type: long + description: >- + PID contained in the syslog header. diff --git a/packages/iptables/0.10.1/data_stream/log/manifest.yml b/packages/iptables/0.10.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..efa49cb1d1 --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/manifest.yml @@ -0,0 +1,121 @@ +type: logs +title: Iptables log logs +release: beta +streams: + - input: udp + template_path: udp.yml.hbs + title: Iptables syslog logs + description: Collect iptables logs using udp input + vars: + - name: syslog_host + type: text + title: Syslog Host + description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + description: The UDP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. + multi: false + required: true + show_user: true + default: 9001 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - iptables-log + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + template_path: log.yml.hbs + title: Iptables log logs + description: Collect iptables logs using log input + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/iptables.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - iptables-log + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. Changes made to event data can break processing that happens in Ingest Node. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: journald + title: Iptables logs from journald + template_path: journald.yml.hbs + description: Collect iptables logs logged by the kernel to journald. The integration queries for + vars: + - name: paths + type: text + title: Journal paths + multi: true + show_user: false + description: > + List of journals to read from. Defaults to the system journal. + + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - iptables-log + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/iptables/0.10.1/data_stream/log/sample_event.json b/packages/iptables/0.10.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..c93360a79c --- /dev/null +++ b/packages/iptables/0.10.1/data_stream/log/sample_event.json @@ -0,0 +1,127 @@ +{ + "@timestamp": "2022-10-10T07:25:12.000Z", + "agent": { + "ephemeral_id": "1671d166-d142-4164-a530-8d26e609c135", + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.3" + }, + "data_stream": { + "dataset": "iptables.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "10.4.0.5", + "mac": "90-10-20-76-8D-20", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "snapshot": false, + "version": "8.1.3" + }, + "event": { + "action": "drop", + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-05-16T21:22:06.206Z", + "dataset": "iptables.log", + "ingested": "2022-05-16T21:22:07Z", + "kind": "event", + "timezone": "+00:00", + "type": [ + "denied", + "connection" + ] + }, + "input": { + "type": "udp" + }, + "iptables": { + "ether_type": 2048, + "fragment_flags": [ + "DF" + ], + "id": 0, + "input_device": "eth0", + "length": 52, + "output_device": "", + "precedence_bits": 0, + "tcp": { + "flags": [ + "ACK" + ], + "reserved_bits": 0, + "window": 2853 + }, + "tos": 0, + "ttl": 63, + "ubiquiti": { + "input_zone": "wan", + "output_zone": "lan", + "rule_number": "default", + "rule_set": "wan-lan" + } + }, + "log": { + "source": { + "address": "172.18.0.7:58273" + }, + "syslog": { + "priority": 161 + } + }, + "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "network": { + "community_id": "1:jc/7ajWLmm0xdpLA7mOyvas9TyE=", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "zone": "lan" + }, + "ingress": { + "zone": "wan" + }, + "name": "Hostname" + }, + "related": { + "ip": [ + "67.43.156.15", + "10.4.0.5" + ] + }, + "rule": { + "id": "default", + "name": "wan-lan" + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "mac": "90-10-65-29-B6-2A", + "port": 38842 + }, + "tags": [ + "iptables-log", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/docs/README.md b/packages/iptables/0.10.1/docs/README.md new file mode 100755 index 0000000000..07ca0f3ac8 --- /dev/null +++ b/packages/iptables/0.10.1/docs/README.md @@ -0,0 +1,273 @@ +# Iptables Integration + +This is an integration for `iptables` and `ip6tables` logs. It parses logs +received over the network via syslog (UDP), read from a file, or read from +journald. Also, it understands the prefix added by some Ubiquiti firewalls, +which includes the rule set name, rule number, and the action performed on the +traffic (allow/deny). + +The module is by default configured to run with the `udp` input on port `9001`. +However, it can also be configured to read from a file path or journald. + +## Logs + +### Iptables log + +This is the Iptables `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-10-10T07:25:12.000Z", + "agent": { + "ephemeral_id": "1671d166-d142-4164-a530-8d26e609c135", + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.3" + }, + "data_stream": { + "dataset": "iptables.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "10.4.0.5", + "mac": "90-10-20-76-8D-20", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "snapshot": false, + "version": "8.1.3" + }, + "event": { + "action": "drop", + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-05-16T21:22:06.206Z", + "dataset": "iptables.log", + "ingested": "2022-05-16T21:22:07Z", + "kind": "event", + "timezone": "+00:00", + "type": [ + "denied", + "connection" + ] + }, + "input": { + "type": "udp" + }, + "iptables": { + "ether_type": 2048, + "fragment_flags": [ + "DF" + ], + "id": 0, + "input_device": "eth0", + "length": 52, + "output_device": "", + "precedence_bits": 0, + "tcp": { + "flags": [ + "ACK" + ], + "reserved_bits": 0, + "window": 2853 + }, + "tos": 0, + "ttl": 63, + "ubiquiti": { + "input_zone": "wan", + "output_zone": "lan", + "rule_number": "default", + "rule_set": "wan-lan" + } + }, + "log": { + "source": { + "address": "172.18.0.7:58273" + }, + "syslog": { + "priority": 161 + } + }, + "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "network": { + "community_id": "1:jc/7ajWLmm0xdpLA7mOyvas9TyE=", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "zone": "lan" + }, + "ingress": { + "zone": "wan" + }, + "name": "Hostname" + }, + "related": { + "ip": [ + "67.43.156.15", + "10.4.0.5" + ] + }, + "rule": { + "id": "default", + "name": "wan-lan" + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "mac": "90-10-65-29-B6-2A", + "port": 38842 + }, + "tags": [ + "iptables-log", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| hostname | Hostname from syslog header. | keyword | +| input.type | Input type | keyword | +| iptables.ether_type | Value of the ethernet type field identifying the network layer protocol. | long | +| iptables.flow_label | IPv6 flow label. | integer | +| iptables.fragment_flags | IP fragment flags. A combination of CE, DF and MF. | keyword | +| iptables.fragment_offset | Offset of the current IP fragment. | long | +| iptables.icmp.code | ICMP code. | long | +| iptables.icmp.id | ICMP ID. | long | +| iptables.icmp.parameter | ICMP parameter. | long | +| iptables.icmp.redirect | ICMP redirect address. | ip | +| iptables.icmp.seq | ICMP sequence number. | long | +| iptables.icmp.type | ICMP type. | long | +| iptables.id | Packet identifier. | long | +| iptables.incomplete_bytes | Number of incomplete bytes. | long | +| iptables.input_device | Device that received the packet. | keyword | +| iptables.length | Packet length. | long | +| iptables.output_device | Device that output the packet. | keyword | +| iptables.precedence_bits | IP precedence bits. | short | +| iptables.tcp.ack | TCP Acknowledgment number. | long | +| iptables.tcp.flags | TCP flags. | keyword | +| iptables.tcp.reserved_bits | TCP reserved bits. | short | +| iptables.tcp.seq | TCP sequence number. | long | +| iptables.tcp.window | Advertised TCP window size. | long | +| iptables.tos | IP Type of Service field. | long | +| iptables.ttl | Time To Live field. | integer | +| iptables.ubiquiti.input_zone | Input zone. | keyword | +| iptables.ubiquiti.output_zone | Output zone. | keyword | +| iptables.ubiquiti.rule_number | The rule number within the rule set. | keyword | +| iptables.ubiquiti.rule_set | The rule set name. | keyword | +| iptables.udp.length | Length of the UDP header and payload. | long | +| journald.host.boot_id | The kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address of the syslog message. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.identifier | Identifier (usually process) contained in the syslog header. | keyword | +| log.syslog.pid | PID contained in the syslog header. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| process.program | Process from syslog header. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.port | Port of the source. | long | +| systemd.transport | How the entry was received by the journal service. | keyword | +| tags | List of keywords used to tag each event. | keyword | + diff --git a/packages/iptables/0.10.1/img/kibana-iptables-ubiquiti.png b/packages/iptables/0.10.1/img/kibana-iptables-ubiquiti.png new file mode 100755 index 0000000000..246f2ace26 Binary files /dev/null and b/packages/iptables/0.10.1/img/kibana-iptables-ubiquiti.png differ diff --git a/packages/iptables/0.10.1/img/kibana-iptables.png b/packages/iptables/0.10.1/img/kibana-iptables.png new file mode 100755 index 0000000000..a12929d11d Binary files /dev/null and b/packages/iptables/0.10.1/img/kibana-iptables.png differ diff --git a/packages/iptables/0.10.1/img/linux.svg b/packages/iptables/0.10.1/img/linux.svg new file mode 100755 index 0000000000..c0a92e0c0f --- /dev/null +++ b/packages/iptables/0.10.1/img/linux.svg @@ -0,0 +1,1532 @@ + + + + Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + Tux + 20 June 2012 + + + Garrett LeSage + + + + + + Larry Ewing, the creator of the original Tux graphic + + + + + tux + Linux + penguin + logo + + + + + Larry Ewing, Garrett LeSage + + + https://github.com/garrett/Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/iptables/0.10.1/kibana/dashboard/iptables-ceefb9e0-1f51-11e9-93ed-f7e068f4aebb.json b/packages/iptables/0.10.1/kibana/dashboard/iptables-ceefb9e0-1f51-11e9-93ed-f7e068f4aebb.json new file mode 100755 index 0000000000..06349b7605 --- /dev/null +++ b/packages/iptables/0.10.1/kibana/dashboard/iptables-ceefb9e0-1f51-11e9-93ed-f7e068f4aebb.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "description": "Overview of the iptables events dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:iptables.log\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":37,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":19,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":18,\"x\":19,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":11,\"x\":37,\"y\":30},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"819f99c3-9bfa-4b32-b42a-eaddd3a1cafa\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"515d04a8-6e07-48ea-a5c8-ca668c73f20b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Source Map [Logs Iptables]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"bfc1b1f2-5e9d-4e48-b6bb-c601bf895655\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"iptables.length:*\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Source Map [Logs Iptables]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"be0cae7a-45f7-4912-88ad-47924a84445e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"be0cae7a-45f7-4912-88ad-47924a84445e\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"6b510351-9284-44f3-8997-27e6ad4ec559\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"e9743ec6-ebc4-427d-9c20-48f1cec1fcaa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Destination Map [Logs Iptables]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"786e2e19-4809-49b5-91ba-5cb5a740d21b\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"iptables.length:*\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Map [Logs Iptables]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"abcc1ae8-b22b-4a2a-b7ad-2082ba3f71aa\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"abcc1ae8-b22b-4a2a-b7ad-2082ba3f71aa\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "[Logs Iptables] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-ceefb9e0-1f51-11e9-93ed-f7e068f4aebb", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "iptables-4c913eb0-1f51-11e9-93ed-f7e068f4aebb", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "iptables-2599f5e0-1e98-11e9-8ec4-cf5d91a864b3", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "iptables-b57b7370-1f1d-11e9-8ec4-cf5d91a864b3", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "iptables-35fe0910-1f26-11e9-8ec4-cf5d91a864b3", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "iptables-683402b0-1f29-11e9-8ec4-cf5d91a864b3", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "8:panel_8", + "type": "search" + }, + { + "id": "logs-*", + "name": "be0cae7a-45f7-4912-88ad-47924a84445e:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "abcc1ae8-b22b-4a2a-b7ad-2082ba3f71aa:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/dashboard/iptables-d39f0980-1ff3-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/dashboard/iptables-d39f0980-1ff3-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..5e43a42c49 --- /dev/null +++ b/packages/iptables/0.10.1/kibana/dashboard/iptables-d39f0980-1ff3-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "Overview of the Ubiquiti Firewall iptables events dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:iptables.log\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"allow\":\"#64B0C8\",\"deny\":\"#E24D42\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":33,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"title\":\"Event Timeline\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"title\":\"Top Blocked by source IP\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"allow\":\"#7EB26D\",\"deny\":\"#E24D42\",\"icmp\":\"#F29191\",\"ipv4\":\"#65C5DB\",\"ipv6\":\"#D683CE\",\"ipv6-icmp\":\"#EA6460\",\"tcp\":\"#447EBC\",\"udp\":\"#F2C96D\"}}},\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"title\":\"Traffic Breakdown by Protocol\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"title\":\"Event View\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"title\":\"Traffic Breakdown by Port\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"7f6a8971-2ac4-49df-9ed3-2a81500c5e1d\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9291aa55-640f-4ca8-9341-b73eecc00855\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Ubiquiti Firewall Allowed Traffic Map [Logs Iptables]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"715de528-553d-4800-91d9-12bab368b24b\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Allowed Traffic Map\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"02e3739f-47c9-45ac-b225-0e4f92dab753\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"02e3739f-47c9-45ac-b225-0e4f92dab753\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"3ba7d195-0d25-4f48-97a4-96e65b0e0b1b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"a6ce0882-5543-4649-9ebb-3393a06c44e6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Ubiquiti Firewall Blocked Traffic Map [Logs Iptables]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"b93a08fa-124c-40a9-9171-37264d256c79\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Blocked Traffic Map\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"0cff36eb-abec-44db-9887-4ba9668d7c02\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"0cff36eb-abec-44db-9887-4ba9668d7c02\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "[Logs Iptables] Ubiquiti Firewall Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-d39f0980-1ff3-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "iptables-758b3620-1fda-11e9-ae2a-939083c6a64e", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "iptables-1ba82fd0-1ff0-11e9-ae2a-939083c6a64e", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "iptables-fdea1ad0-1ff4-11e9-ae2a-939083c6a64e", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "name": "6:panel_6", + "type": "search" + }, + { + "id": "iptables-190bcb50-1ff6-11e9-ae2a-939083c6a64e", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "02e3739f-47c9-45ac-b225-0e4f92dab753:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0cff36eb-abec-44db-9887-4ba9668d7c02:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/search/iptables-7862cab0-1fdb-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/search/iptables-7862cab0-1fdb-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..479e8c565c --- /dev/null +++ b/packages/iptables/0.10.1/kibana/search/iptables-7862cab0-1fdb-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"iptables.ubiquiti.rule_set :* and event.outcome : \\\"allow\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Ubiquiti Firewall Allowed Events [Logs Iptables]", + "version": 1 + }, + "id": "iptables-7862cab0-1fdb-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/search/iptables-9f7d97c0-1fe9-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/search/iptables-9f7d97c0-1fe9-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..bf4ed9153f --- /dev/null +++ b/packages/iptables/0.10.1/kibana/search/iptables-9f7d97c0-1fe9-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"iptables.ubiquiti.rule_set :* and event.outcome : \\\"deny\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Ubiquiti Firewall Blocked Events [Logs Iptables]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-9f7d97c0-1fe9-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/search/iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3.json b/packages/iptables/0.10.1/kibana/search/iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3.json new file mode 100755 index 0000000000..e72fbb56a8 --- /dev/null +++ b/packages/iptables/0.10.1/kibana/search/iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"iptables.length :*\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Events Search [Logs Iptables]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/search/iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/search/iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..c6bfb4bf36 --- /dev/null +++ b/packages/iptables/0.10.1/kibana/search/iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"iptables.ubiquiti.rule_set :*\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Ubiquiti Firewall Events [Logs Iptables]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-190bcb50-1ff6-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/visualization/iptables-190bcb50-1ff6-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..9f5043e01e --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-190bcb50-1ff6-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Ubiquiti Firewall Traffic by Port [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.outcome\",\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination port\",\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Ubiquiti Firewall Traffic by Port [Logs Iptables]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-190bcb50-1ff6-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-1ba82fd0-1ff0-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/visualization/iptables-1ba82fd0-1ff0-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..0d6d70af2f --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-1ba82fd0-1ff0-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Ubiquiti Firewall Top Blocked IPs [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Ubiquiti Firewall Top Blocked IPs [Logs Iptables]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-1ba82fd0-1ff0-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-9f7d97c0-1fe9-11e9-ae2a-939083c6a64e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-2599f5e0-1e98-11e9-8ec4-cf5d91a864b3.json b/packages/iptables/0.10.1/kibana/visualization/iptables-2599f5e0-1e98-11e9-8ec4-cf5d91a864b3.json new file mode 100755 index 0000000000..a645172d8e --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-2599f5e0-1e98-11e9-8ec4-cf5d91a864b3.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"iptables.length:*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Source Countries [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Source Countries [Logs Iptables]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-2599f5e0-1e98-11e9-8ec4-cf5d91a864b3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-35fe0910-1f26-11e9-8ec4-cf5d91a864b3.json b/packages/iptables/0.10.1/kibana/visualization/iptables-35fe0910-1f26-11e9-8ec4-cf5d91a864b3.json new file mode 100755 index 0000000000..b01a1bdfbb --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-35fe0910-1f26-11e9-8ec4-cf5d91a864b3.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"iptables.length:*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Network Transport Breakdown [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Transport Breakdown [Logs Iptables]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-35fe0910-1f26-11e9-8ec4-cf5d91a864b3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-4c913eb0-1f51-11e9-93ed-f7e068f4aebb.json b/packages/iptables/0.10.1/kibana/visualization/iptables-4c913eb0-1f51-11e9-93ed-f7e068f4aebb.json new file mode 100755 index 0000000000..1d8fb63fec --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-4c913eb0-1f51-11e9-93ed-f7e068f4aebb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Events Timeline [Logs Iptables]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Events Timeline [Logs Iptables]\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-4c913eb0-1f51-11e9-93ed-f7e068f4aebb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-5bd53050-1fe9-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/visualization/iptables-5bd53050-1fe9-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..034a56acbb --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-5bd53050-1fe9-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Ubiquiti Firewall Allowed Traffic Map [Logs Iptables]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"origin\":\"elastic_maps_service\"}}},\"title\":\"Ubiquiti Firewall Allowed Traffic Map [Logs Iptables]\",\"type\":\"tile_map\"}" + }, + "id": "iptables-5bd53050-1fe9-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "iptables-7862cab0-1fdb-11e9-ae2a-939083c6a64e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-683402b0-1f29-11e9-8ec4-cf5d91a864b3.json b/packages/iptables/0.10.1/kibana/visualization/iptables-683402b0-1f29-11e9-8ec4-cf5d91a864b3.json new file mode 100755 index 0000000000..42b363d6de --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-683402b0-1f29-11e9-8ec4-cf5d91a864b3.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"iptables.length:*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Destination Ports [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destination Ports [Logs Iptables]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-683402b0-1f29-11e9-8ec4-cf5d91a864b3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-758b3620-1fda-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/visualization/iptables-758b3620-1fda-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..36fdbf521d --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-758b3620-1fda-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Ubiquiti Firewall Event Timeline [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"allow\":\"#64B0C8\",\"deny\":\"#E24D42\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2019-01-24T15:47:12.171Z\",\"mode\":\"absolute\",\"to\":\"2019-01-24T15:47:52.785Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"top\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Ubiquiti Firewall Event Timeline [Logs Iptables]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-758b3620-1fda-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-8853aa20-1fef-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/visualization/iptables-8853aa20-1fef-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..7e00d4326f --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-8853aa20-1fef-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Ubiquiti Firewall Blocked Traffic Map [Logs Iptables]", + "uiStateJSON": "{\"mapCenter\":[19.228176737766262,-22.851562500000004],\"mapZoom\":3}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"origin\":\"elastic_maps_service\"}}},\"title\":\"Ubiquiti Firewall Blocked Traffic Map [Logs Iptables]\",\"type\":\"tile_map\"}" + }, + "id": "iptables-8853aa20-1fef-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "iptables-9f7d97c0-1fe9-11e9-ae2a-939083c6a64e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-b57b7370-1f1d-11e9-8ec4-cf5d91a864b3.json b/packages/iptables/0.10.1/kibana/visualization/iptables-b57b7370-1f1d-11e9-8ec4-cf5d91a864b3.json new file mode 100755 index 0000000000..84f6665bd9 --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-b57b7370-1f1d-11e9-8ec4-cf5d91a864b3.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"iptables.length:*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Network Type Breakdown [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.type\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Type Breakdown [Logs Iptables]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-b57b7370-1f1d-11e9-8ec4-cf5d91a864b3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-c4394ec0-1efd-11e9-8ec4-cf5d91a864b3.json b/packages/iptables/0.10.1/kibana/visualization/iptables-c4394ec0-1efd-11e9-8ec4-cf5d91a864b3.json new file mode 100755 index 0000000000..abeb25955e --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-c4394ec0-1efd-11e9-8ec4-cf5d91a864b3.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"iptables.length:*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Source Map [Logs Iptables]", + "uiStateJSON": "{\"mapCenter\":[45.02695045318546,-44.82421875000001],\"mapZoom\":3}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"origin\":\"elastic_maps_service\"}}},\"title\":\"Source Map [Logs Iptables]\",\"type\":\"tile_map\"}" + }, + "id": "iptables-c4394ec0-1efd-11e9-8ec4-cf5d91a864b3", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-d8cea010-1efd-11e9-8ec4-cf5d91a864b3.json b/packages/iptables/0.10.1/kibana/visualization/iptables-d8cea010-1efd-11e9-8ec4-cf5d91a864b3.json new file mode 100755 index 0000000000..2e628de27c --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-d8cea010-1efd-11e9-8ec4-cf5d91a864b3.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"iptables.length:*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Map [Logs Iptables]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"origin\":\"elastic_maps_service\"}}},\"title\":\"Destination Map [Logs Iptables]\",\"type\":\"tile_map\"}" + }, + "id": "iptables-d8cea010-1efd-11e9-8ec4-cf5d91a864b3", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "iptables-b3f1b010-1f26-11e9-8ec4-cf5d91a864b3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/kibana/visualization/iptables-fdea1ad0-1ff4-11e9-ae2a-939083c6a64e.json b/packages/iptables/0.10.1/kibana/visualization/iptables-fdea1ad0-1ff4-11e9-ae2a-939083c6a64e.json new file mode 100755 index 0000000000..6a54d09763 --- /dev/null +++ b/packages/iptables/0.10.1/kibana/visualization/iptables-fdea1ad0-1ff4-11e9-ae2a-939083c6a64e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Ubiquiti Firewall Traffic Breakdown [Logs Iptables]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"deny\":\"#E24D42\",\"icmp\":\"#F29191\",\"ipv4\":\"#65C5DB\",\"ipv6\":\"#D683CE\",\"ipv6-icmp\":\"#EA6460\",\"tcp\":\"#447EBC\",\"udp\":\"#F2C96D\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.type\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":false,\"show\":true,\"truncate\":100,\"values\":false},\"legendPosition\":\"top\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Ubiquiti Firewall Traffic Breakdown [Logs Iptables]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "iptables-fdea1ad0-1ff4-11e9-ae2a-939083c6a64e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "iptables-c4e80aa0-1fd4-11e9-ae2a-939083c6a64e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/iptables/0.10.1/manifest.yml b/packages/iptables/0.10.1/manifest.yml new file mode 100755 index 0000000000..1e59217c77 --- /dev/null +++ b/packages/iptables/0.10.1/manifest.yml @@ -0,0 +1,43 @@ +name: iptables +title: Iptables Logs +version: "0.10.1" +release: beta +description: Collect and parse logs from iptables and ip6tables with Elastic Agent. +type: integration +icons: + - src: /img/linux.svg + title: linux + size: 299x354 + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: + - network + - security +conditions: + kibana.version: ^8.0.0 +screenshots: + - src: /img/kibana-iptables.png + title: kibana iptables + size: 1492x1382 + type: image/png + - src: /img/kibana-iptables-ubiquiti.png + title: kibana iptables ubiquiti + size: 1492x1464 + type: image/png +policy_templates: + - name: iptables + title: Iptables logs + description: Collect logs from iptables instances + inputs: + - type: udp + title: "Collect iptables application logs (input: udp)" + description: "Collecting application logs from iptables instances (input: udp)" + - type: logfile + title: "Collect iptables application logs (input: logfile)" + description: "Collecting application logs from iptables instances (input: logfile)" + - type: journald + title: "Collect iptables application logs (input: journald)" + description: "Collecting application logs from iptables instances (input: journald)" +owner: + github: elastic/security-external-integrations diff --git a/packages/juniper_srx/1.3.0/changelog.yml b/packages/juniper_srx/1.3.0/changelog.yml new file mode 100755 index 0000000000..72c2583f37 --- /dev/null +++ b/packages/juniper_srx/1.3.0/changelog.yml @@ -0,0 +1,36 @@ +# newer versions go on top +- version: "1.3.0" + changes: + - description: Add TLS and custom options support to TCP input + type: enhancement + link: https://github.com/elastic/integrations/pull/3320 +- version: "1.2.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.1.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.1.1" + changes: + - description: Add Ingest Pipeline script to map IANA Protocol Numbers + type: bugfix + link: https://github.com/elastic/integrations/pull/2470 +- version: "1.1.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2418 +- version: "1.0.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.0.0" + changes: + - description: Initial release of new package split from oroginal Juniper package + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/2068 diff --git a/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/logfile.yml.hbs b/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..6bafca7cc9 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/logfile.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +prospector.scanner.exclude_files: ['\.gz$'] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..12309d4b4e --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,22 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..0696ac9d89 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/atp.yml b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/atp.yml new file mode 100755 index 0000000000..44d01d3639 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/atp.yml @@ -0,0 +1,364 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.domain + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +############### +## Timestamp ## +############### +- date: + if: 'ctx.juniper.srx?.timestamp != null' + field: juniper.srx.timestamp + target_field: juniper.srx.timestamp + formats: + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + on_failure: + - remove: + field: + - juniper.srx.timestamp + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7399a1fe75 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,321 @@ +--- +# This module only supports syslog messages in the format "structured-data + brief" +# https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html +description: Pipeline for parsing junipersrx firewall logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:_temp_.original}\]$' + +# split Juniper-SRX fields + - kv: + field: _temp_.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "juniper.srx." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Converts all kebab-case key names to snake_case + - script: + lang: painless + source: >- + ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); + +# +# Parse the date +# + - date: + if: "ctx?.event?.timezone == null" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + - date: + if: "ctx?.event?.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + +# Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. +# -> juniper.srx.elapsed_time + - rename: + field: juniper.srx.elapsed_time + target_field: juniper.srx.duration + if: "ctx?.juniper?.srx?.elapsed_time != null" + +# Sets starts, end and duration when start and duration is known + - script: + lang: painless + if: ctx?.juniper?.srx?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields + - script: + lang: painless + params: + values: + - "None" + - "UNKNOWN" + - "N/A" + - "-" + source: >- + ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### + - convert: + field: syslog_pri + type: long + target_field: event.severity + ignore_failure: true + +##################### +## ECS Log Mapping ## +##################### +# https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes + - set: + field: "log.level" + if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' + value: emergency + - set: + field: "log.level" + if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' + value: alert + - set: + field: "log.level" + if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' + value: critical + - set: + field: "log.level" + if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' + value: error + - set: + field: "log.level" + if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' + value: warning + - set: + field: "log.level" + if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' + value: notification + - set: + field: "log.level" + if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' + value: informational + - set: + field: "log.level" + if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' + value: debug + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.vendor + value: Juniper + - set: + field: observer.product + value: SRX + - set: + field: observer.type + value: firewall + - rename: + field: syslog_hostname + target_field: observer.name + ignore_missing: true + - rename: + field: juniper.srx.packet_incoming_interface + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.destination_interface_name + target_field: observer.egress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.source_interface_name + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.interface_name + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.source_zone_name + target_field: observer.ingress.zone + ignore_missing: true + - rename: + field: juniper.srx.source_zone + target_field: observer.ingress.zone + ignore_missing: true + - rename: + field: juniper.srx.destination_zone_name + target_field: observer.egress.zone + ignore_missing: true + - rename: + field: juniper.srx.destination_zone + target_field: observer.egress.zone + ignore_missing: true + - rename: + field: syslog_program + target_field: juniper.srx.process + ignore_missing: true + - rename: + field: log_type + target_field: juniper.srx.tag + ignore_missing: true + + +############# +## Cleanup ## +############# + - remove: + field: + - message + - _temp_ + - juniper.srx.duration + - juniper.srx.dir_disp + - juniper.srx.srczone + - juniper.srx.dstzone + - juniper.srx.duration + - syslog_pri + ignore_missing: true + +################################ +## Product Specific Pipelines ## +################################ + - pipeline: + name: '{{ IngestPipeline "flow" }}' + if: "ctx.juniper?.srx?.process == 'RT_FLOW'" + - pipeline: + name: '{{ IngestPipeline "utm" }}' + if: "ctx.juniper?.srx?.process == 'RT_UTM'" + - pipeline: + name: '{{ IngestPipeline "idp" }}' + if: "ctx.juniper?.srx?.process == 'RT_IDP'" + - pipeline: + name: '{{ IngestPipeline "ids" }}' + if: "ctx.juniper?.srx?.process == 'RT_IDS'" + - pipeline: + name: '{{ IngestPipeline "atp" }}' + if: "ctx.juniper?.srx?.process == 'RT_AAMW'" + - pipeline: + name: '{{ IngestPipeline "secintel" }}' + if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + +######################### +## ECS Related Mapping ## +######################### + - append: + if: 'ctx.source?.ip != null' + field: related.ip + value: '{{source.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.destination?.ip != null' + field: related.ip + value: '{{destination.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.source?.nat?.ip != null' + field: related.ip + value: '{{source.nat.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: '{{destination.nat.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.url?.domain != null' + field: related.hosts + value: '{{url.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.source?.domain != null' + field: related.hosts + value: '{{source.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.destination?.domain != null' + field: related.hosts + value: '{{destination.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.source?.user?.name != null' + field: related.user + value: '{{source.user.name}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.destination?.user?.name != null' + field: related.user + value: '{{destination.user.name}}' + ignore_failure: true + allow_duplicates: false + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/flow.yml b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/flow.yml new file mode 100755 index 0000000000..bf9fcbeb05 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/flow.yml @@ -0,0 +1,363 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (flow pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- convert: + field: juniper.srx.application_risk + type: float + target_field: event.risk_score + ignore_missing: true + ignore_failure: true +- append: + field: event.type + value: + - start + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" +- set: + field: event.action + value: flow_started + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- set: + field: event.action + value: flow_close + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- set: + field: event.action + value: flow_deny + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx?.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.client.packets + ctx.server.packets" + if: "ctx?.client?.packets != null && ctx?.server?.packets != null" + ignore_failure: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.application_risk + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/idp.yml b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/idp.yml new file mode 100755 index 0000000000..0b26118a9f --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/idp.yml @@ -0,0 +1,288 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (idp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: application_ddos + if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: security_threat + if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx['nat_destination_port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.inbound_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.inbound_packets + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_packets !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.outbound_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.outbound_packets + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_packets != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.rulebase_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.rulebase_name != null" +- rename: + field: juniper.srx.rule_name + target_field: rule.id + ignore_missing: true + if: "ctx.juniper?.srx?.rule_name != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol_name + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_name != null" + +######################### +## ECS message Mapping ## +######################### +- rename: + field: juniper.srx.message + target_field: message + ignore_missing: true + if: "ctx.juniper?.srx?.message != null" + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.outbound_bytes + - juniper.srx.outbound_packets + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.inbound_bytes + - juniper.srx.inbound_packets + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/ids.yml b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/ids.yml new file mode 100755 index 0000000000..9b39206834 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/ids.yml @@ -0,0 +1,364 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (ids pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: flood_detected + if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: scan_detected + if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'" +- set: + field: event.action + value: sweep_detected + if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: fragment_detected + if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: spoofing_detected + if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'" +- set: + field: event.action + value: session_limit_detected + if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: attack_detected + if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: illegal_tcp_flag_detected + if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: tunneling_screen + if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml new file mode 100755 index 0000000000..790a8aa9cb --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml @@ -0,0 +1,350 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (secintel pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.address + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/utm.yml new file mode 100755 index 0000000000..056f23dbe1 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/utm.yml @@ -0,0 +1,391 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (utm pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- convert: + field: juniper.srx.urlcategory_risk + type: float + target_field: event.risk_score + ignore_missing: true + ignore_failure: true +- set: + field: event.kind + value: alert + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: malware + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: web_filter + if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: content_filter + if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: antispam_filter + if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: virus_detected + if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: juniper.srx.url + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.url != null" +- rename: + field: juniper.srx.obj + target_field: url.path + ignore_missing: true + if: "ctx.juniper?.srx?.obj != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: juniper.srx.filename + target_field: file.name + ignore_missing: true + if: "ctx.juniper?.srx?.filename != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + - juniper.srx.urlcategory_risk + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.0/data_stream/log/fields/agent.yml b/packages/juniper_srx/1.3.0/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..c5d5959b5a --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Byte offset of the log line within its file. +- name: log.source.address + type: keyword + description: Source address of the syslog message. diff --git a/packages/juniper_srx/1.3.0/data_stream/log/fields/base-fields.yml b/packages/juniper_srx/1.3.0/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..5b1dbba23c --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: juniper_srx +- name: event.dataset + type: constant_keyword + description: Event dataset + value: juniper_srx.log +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/juniper_srx/1.3.0/data_stream/log/fields/ecs.yml b/packages/juniper_srx/1.3.0/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..70c0a6dd39 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/fields/ecs.yml @@ -0,0 +1,2598 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Extended build information for the agent. + This field is intended to contain any build information that a data source may provide, no specific formatting is required. + name: agent.build.original + type: keyword +- description: |- + Ephemeral identifier of this agent (if one exists). + This id normally changes across restarts, but `agent.id` does not. + name: agent.ephemeral_id + type: keyword +- description: |- + Unique identifier of this agent (if one exists). + Example: For Beats this would be beat.id. + name: agent.id + type: keyword +- description: |- + Custom name of the agent. + This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. + If no name is given, the name is often left empty. + name: agent.name + type: keyword +- description: |- + Type of the agent. + The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + name: agent.type + type: keyword +- description: Version of the agent. + name: agent.version + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: as.organization.name + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: client.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: client.geo.name + type: keyword +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: client.mac + type: keyword +- description: |- + Translated IP of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.port + type: long +- description: Packets sent from the client to the server. + name: client.packets + type: long +- description: Port of the client. + name: client.port + type: long +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.domain + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: client.user.group.id + type: keyword +- description: Name of the group. + name: client.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: client.user.hash + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: client.user.roles + type: keyword +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Instance name of the host machine. + name: cloud.instance.name + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: |- + The cloud project identifier. + Examples: Google Cloud Project id, Azure Project id. + name: cloud.project.id + type: keyword +- description: |- + The cloud project name. + Examples: Google Cloud Project name, Azure Project name. + name: cloud.project.name + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: Boolean to capture if a signature is present. + name: code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: code_signature.status + type: keyword +- description: Subject name of the code signer + name: code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: code_signature.valid + type: boolean +- description: Unique container id. + name: container.id + type: keyword +- description: Name of the image the container was built on. + name: container.image.name + type: keyword +- description: Container image tags. + name: container.image.tag + type: keyword +- description: Image labels. + name: container.labels + type: object +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: User email address. + name: destination.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: destination.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: destination.user.group.id + type: keyword +- description: Name of the group. + name: destination.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: destination.user.hash + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: destination.user.roles + type: keyword +- description: Boolean to capture if a signature is present. + name: dll.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: dll.code_signature.status + type: keyword +- description: Subject name of the code signer + name: dll.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: dll.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: dll.code_signature.valid + type: boolean +- description: MD5 hash. + name: dll.hash.md5 + type: keyword +- description: SHA1 hash. + name: dll.hash.sha1 + type: keyword +- description: SHA256 hash. + name: dll.hash.sha256 + type: keyword +- description: SHA512 hash. + name: dll.hash.sha512 + type: keyword +- description: |- + Name of the library. + This generally maps to the name of the file on disk. + name: dll.name + type: keyword +- description: Full file path of the library. + name: dll.path + type: keyword +- description: CPU architecture target for the file. + name: dll.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: dll.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: dll.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: dll.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: dll.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: dll.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: dll.pe.product + type: keyword +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Unique identifier for the error. + name: error.id + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: The stack trace of this error in plain text. + multi_fields: + - name: text + type: match_only_text + name: error.stack_trace + type: wildcard +- description: The type of the error, for example the class name of the exception. + name: error.type + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + name: event.hash + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + Reference URL linking to additional information about this event. + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.reference + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Normalized risk score or priority of the event, on a scale of 0 to 100. + This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + name: event.risk_score_norm + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + Last time the file was accessed. + Note that not all filesystems keep track of access time. + name: file.accessed + type: date +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Boolean to capture if a signature is present. + name: file.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: file.code_signature.status + type: keyword +- description: Subject name of the code signer + name: file.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: file.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: file.code_signature.valid + type: boolean +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Device that is the source of the file. + name: file.device + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + Drive letter where the file is located. This field is only relevant on Windows. + The value should be uppercase, and not include the colon. + name: file.drive_letter + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Primary group ID (GID) of the file. + name: file.gid + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + name: file.mime_type + type: keyword +- description: Mode of the file in octal representation. + name: file.mode + type: keyword +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: CPU architecture target for the file. + name: file.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: file.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: file.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: file.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: file.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: file.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: file.pe.product + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Target path for symlinks. + multi_fields: + - name: text + type: match_only_text + name: file.target_path + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: The user ID (UID) or security identifier (SID) of the file owner. + name: file.uid + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: file.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: file.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: file.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: file.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: file.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: file.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: file.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: file.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: file.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: file.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: file.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: file.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: file.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: file.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: file.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: file.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: file.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: file.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: file.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: file.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: file.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: file.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: file.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: file.x509.version_number + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Name of the continent. + name: geo.continent_name + type: keyword +- description: Country ISO code. + name: geo.country_iso_code + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: Longitude and latitude. + name: geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region ISO code. + name: geo.region_iso_code + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: MD5 hash. + name: hash.md5 + type: keyword +- description: SHA1 hash. + name: hash.sha1 + type: keyword +- description: SHA256 hash. + name: hash.sha256 + type: keyword +- description: SHA512 hash. + name: hash.sha512 + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: |- + Name of the domain of which the host is a member. + For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + name: host.domain + type: keyword +- description: City name. + name: host.geo.city_name + type: keyword +- description: Name of the continent. + name: host.geo.continent_name + type: keyword +- description: Country ISO code. + name: host.geo.country_iso_code + type: keyword +- description: Country name. + name: host.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: host.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: host.geo.name + type: keyword +- description: Region ISO code. + name: host.geo.region_iso_code + type: keyword +- description: Region name. + name: host.geo.region_name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: host.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: host.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: host.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: host.os.platform + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: |- + Type of host. + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + name: host.type + type: keyword +- description: Seconds the host has been up. + name: host.uptime + type: long +- description: Size in bytes of the request body. + name: http.request.body.bytes + type: long +- description: The full HTTP request body. + multi_fields: + - name: text + type: match_only_text + name: http.request.body.content + type: wildcard +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: The full HTTP response body. + multi_fields: + - name: text + type: match_only_text + name: http.response.body.content + type: wildcard +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + name: interface.alias + type: keyword +- description: Interface ID as reported by an observer (typically SNMP interface ID). + name: interface.id + type: keyword +- description: Interface name as reported by the system. + name: interface.name + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + name: log.syslog + type: object +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: VLAN ID as reported by the observer. + name: network.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.vlan.name + type: keyword +- description: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + name: observer.egress + type: object +- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + name: observer.egress.interface.alias + type: keyword +- description: Interface ID as reported by an observer (typically SNMP interface ID). + name: observer.egress.interface.id + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: VLAN ID as reported by the observer. + name: observer.egress.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: observer.egress.vlan.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: City name. + name: observer.geo.city_name + type: keyword +- description: Name of the continent. + name: observer.geo.continent_name + type: keyword +- description: Country ISO code. + name: observer.geo.country_iso_code + type: keyword +- description: Country name. + name: observer.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: observer.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: observer.geo.name + type: keyword +- description: Region ISO code. + name: observer.geo.region_iso_code + type: keyword +- description: Region name. + name: observer.geo.region_name + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + name: observer.ingress + type: object +- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + name: observer.ingress.interface.alias + type: keyword +- description: Interface ID as reported by an observer (typically SNMP interface ID). + name: observer.ingress.interface.id + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: VLAN ID as reported by the observer. + name: observer.ingress.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: observer.ingress.vlan.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: observer.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: observer.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: observer.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: observer.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: observer.os.platform + type: keyword +- description: Operating system version as a raw string. + name: observer.os.version + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: organization.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: os.platform + type: keyword +- description: Operating system version as a raw string. + name: os.version + type: keyword +- description: Package architecture. + name: package.architecture + type: keyword +- description: |- + Additional information about the build version of the installed package. + For example use the commit SHA of a non-released package. + name: package.build_version + type: keyword +- description: Checksum of the installed package for verification. + name: package.checksum + type: keyword +- description: Description of the package. + name: package.description + type: keyword +- description: Indicating how the package was installed, e.g. user-local, global. + name: package.install_scope + type: keyword +- description: Time when package was installed. + name: package.installed + type: date +- description: |- + License under which the package was released. + Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + name: package.license + type: keyword +- description: Package name + name: package.name + type: keyword +- description: Path where the package is installed. + name: package.path + type: keyword +- description: Home page or reference URL of the software in this package, if available. + name: package.reference + type: keyword +- description: Package size in bytes. + name: package.size + type: long +- description: |- + Type of package. + This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + name: package.type + type: keyword +- description: Package version + name: package.version + type: keyword +- description: CPU architecture target for the file. + name: pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: pe.product + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: Boolean to capture if a signature is present. + name: process.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: process.code_signature.status + type: keyword +- description: Subject name of the code signer + name: process.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: process.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: process.code_signature.valid + type: boolean +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.parent.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.parent.args_count + type: long +- description: Boolean to capture if a signature is present. + name: process.parent.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: process.parent.code_signature.status + type: keyword +- description: Subject name of the code signer + name: process.parent.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: process.parent.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: process.parent.code_signature.valid + type: boolean +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.parent.exit_code + type: long +- description: MD5 hash. + name: process.parent.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.parent.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.parent.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.parent.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: CPU architecture target for the file. + name: process.parent.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.parent.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.parent.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.parent.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.parent.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.parent.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.parent.pe.product + type: keyword +- description: |- + Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + Identifier of the group of processes the process belongs to. + name: process.parent.pgid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.parent.start + type: date +- description: Thread ID. + name: process.parent.thread.id + type: long +- description: Thread name. + name: process.parent.thread.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Seconds the process has been up. + name: process.parent.uptime + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.parent.working_directory + type: keyword +- description: CPU architecture target for the file. + name: process.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.pe.product + type: keyword +- description: |- + Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + Identifier of the group of processes the process belongs to. + name: process.pgid + type: long +- description: Process id. + name: process.pid + type: long +- description: The time the process started. + name: process.start + type: date +- description: Thread ID. + name: process.thread.id + type: long +- description: Thread name. + name: process.thread.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: Seconds the process has been up. + name: process.uptime + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Original bytes written with base64 encoding. + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + name: registry.data.bytes + type: keyword +- description: |- + Content when writing string types. + Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + name: registry.data.strings + type: wildcard +- description: Standard registry type for encoding contents + name: registry.data.type + type: keyword +- description: Abbreviated name for the hive. + name: registry.hive + type: keyword +- description: Hive-relative path of keys. + name: registry.key + type: keyword +- description: Full path, including hive, key and value + name: registry.path + type: keyword +- description: Name of the value written. + name: registry.value + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + name: rule.author + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: Name of the license under which the rule used to generate this event is made available. + name: rule.license + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Reference URL to additional information about the rule used to generate this event. + The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + name: rule.reference + type: keyword +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: The version / revision of the rule being used for analysis. + name: rule.version + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: server.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: server.as.organization.name + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: City name. + name: server.geo.city_name + type: keyword +- description: Name of the continent. + name: server.geo.continent_name + type: keyword +- description: Country ISO code. + name: server.geo.country_iso_code + type: keyword +- description: Country name. + name: server.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: server.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: server.geo.name + type: keyword +- description: Region ISO code. + name: server.geo.region_iso_code + type: keyword +- description: Region name. + name: server.geo.region_name + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + MAC address of the server. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: server.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.ip + type: ip +- description: |- + Translated port of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.port + type: long +- description: Packets sent from the server to the client. + name: server.packets + type: long +- description: Port of the server. + name: server.port + type: long +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.domain + type: keyword +- description: User email address. + name: server.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: server.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: server.user.group.id + type: keyword +- description: Name of the group. + name: server.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: server.user.hash + type: keyword +- description: Unique identifier of the user. + name: server.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: server.user.roles + type: keyword +- description: |- + Ephemeral identifier of this service (if one exists). + This id normally changes across restarts, but `service.id` does not. + name: service.ephemeral_id + type: keyword +- description: |- + Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + name: service.id + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Name of a service node. + This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + name: service.node.name + type: keyword +- description: Current state of the service. + name: service.state + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + Version of the service the data was collected from. + This allows to look at a data set only for a specific version of a service. + name: service.version + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: source.user.group.id + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: source.user.hash + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: source.user.roles + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + name: threat.framework + type: keyword +- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.id + type: keyword +- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + name: threat.tactic.name + type: keyword +- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.reference + type: keyword +- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.id + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + type: keyword +- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.reference + type: keyword +- description: String indicating the cipher used during the current connection. + name: tls.cipher + type: keyword +- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + name: tls.client.certificate + type: keyword +- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + name: tls.client.certificate_chain + type: keyword +- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.md5 + type: keyword +- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.sha1 + type: keyword +- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.sha256 + type: keyword +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + name: tls.client.issuer + type: keyword +- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + name: tls.client.ja3 + type: keyword +- description: Date/Time indicating when client certificate is no longer considered valid. + name: tls.client.not_after + type: date +- description: Date/Time indicating when client certificate is first considered valid. + name: tls.client.not_before + type: date +- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + name: tls.client.server_name + type: keyword +- description: Distinguished name of subject of the x.509 certificate presented by the client. + name: tls.client.subject + type: keyword +- description: Array of ciphers offered by the client during the client hello. + name: tls.client.supported_ciphers + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: tls.client.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.client.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: tls.client.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: tls.client.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.client.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: tls.client.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: tls.client.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.client.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: tls.client.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: tls.client.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: tls.client.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: tls.client.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: tls.client.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: tls.client.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: tls.client.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: tls.client.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: tls.client.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: tls.client.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: tls.client.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.client.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: tls.client.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: tls.client.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.client.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: tls.client.x509.version_number + type: keyword +- description: String indicating the curve used for the given cipher, when applicable. + name: tls.curve + type: keyword +- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + name: tls.established + type: boolean +- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + name: tls.next_protocol + type: keyword +- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + name: tls.resumed + type: boolean +- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + name: tls.server.certificate + type: keyword +- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + name: tls.server.certificate_chain + type: keyword +- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.md5 + type: keyword +- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.sha1 + type: keyword +- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.sha256 + type: keyword +- description: Subject of the issuer of the x.509 certificate presented by the server. + name: tls.server.issuer + type: keyword +- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + name: tls.server.ja3s + type: keyword +- description: Timestamp indicating when server certificate is no longer considered valid. + name: tls.server.not_after + type: date +- description: Timestamp indicating when server certificate is first considered valid. + name: tls.server.not_before + type: date +- description: Subject of the x.509 certificate presented by the server. + name: tls.server.subject + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: tls.server.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.server.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: tls.server.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: tls.server.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.server.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: tls.server.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: tls.server.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.server.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: tls.server.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: tls.server.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: tls.server.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: tls.server.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: tls.server.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: tls.server.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: tls.server.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: tls.server.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: tls.server.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: tls.server.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: tls.server.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.server.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: tls.server.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: tls.server.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.server.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: tls.server.x509.version_number + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: Normalized lowercase protocol name parsed from original string. + name: tls.version_protocol + type: keyword +- description: |- + Unique identifier of the span within the scope of its trace. + A span represents an operation within a transaction, such as a request to another service, or a database query. + name: span.id + type: keyword +- description: |- + Unique identifier of the trace. + A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + name: trace.id + type: keyword +- description: |- + Unique identifier of the transaction within the scope of its trace. + A transaction is the highest level of work measured within a service, such as a request to a server. + name: transaction.id + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Name of the group. + name: user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: user.hash + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Array of user roles at the time of the event. + name: user.roles + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: user_agent.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: user_agent.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: user_agent.os.platform + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: VLAN ID as reported by the observer. + name: vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: vlan.name + type: keyword +- description: |- + The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) + This field must be an array. + name: vulnerability.category + type: keyword +- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + name: vulnerability.classification + type: keyword +- description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + multi_fields: + - name: text + type: match_only_text + name: vulnerability.description + type: keyword +- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + name: vulnerability.enumeration + type: keyword +- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + name: vulnerability.id + type: keyword +- description: A resource that provides additional information, context, and mitigations for the identified vulnerability. + name: vulnerability.reference + type: keyword +- description: The report or scan identification number. + name: vulnerability.report_id + type: keyword +- description: The name of the vulnerability scanner vendor. + name: vulnerability.scanner.vendor + type: keyword +- description: |- + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + name: vulnerability.score.base + type: float +- description: |- + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + name: vulnerability.score.environmental + type: float +- description: |- + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + name: vulnerability.score.temporal + type: float +- description: |- + The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + name: vulnerability.score.version + type: keyword +- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + name: vulnerability.severity + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: x509.subject.common_name + type: keyword +- description: List of country (C) code + name: x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: x509.version_number + type: keyword diff --git a/packages/juniper_srx/1.3.0/data_stream/log/fields/fields.yml b/packages/juniper_srx/1.3.0/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..f1c609ea12 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/fields/fields.yml @@ -0,0 +1,388 @@ +- name: juniper.srx + type: group + release: ga + fields: + - name: reason + type: keyword + description: | + reason + - name: connection_tag + type: keyword + description: | + connection tag + - name: service_name + type: keyword + description: | + service name + - name: nat_connection_tag + type: keyword + description: | + nat connection tag + - name: src_nat_rule_type + type: keyword + description: | + src nat rule type + - name: src_nat_rule_name + type: keyword + description: | + src nat rule name + - name: dst_nat_rule_type + type: keyword + description: | + dst nat rule type + - name: dst_nat_rule_name + type: keyword + description: | + dst nat rule name + - name: protocol_id + type: keyword + description: | + protocol id + - name: policy_name + type: keyword + description: | + policy name + - name: session_id_32 + type: keyword + description: | + session id 32 + - name: session_id + type: keyword + description: | + session id + - name: outbound_packets + type: integer + description: | + packets from client + - name: outbound_bytes + type: integer + description: | + bytes from client + - name: inbound_packets + type: integer + description: | + packets from server + - name: inbound_bytes + type: integer + description: | + bytes from server + - name: elapsed_time + type: date + description: | + elapsed time + - name: application + type: keyword + description: | + application + - name: nested_application + type: keyword + description: | + nested application + - name: username + type: keyword + description: | + username + - name: roles + type: keyword + description: | + roles + - name: encrypted + type: keyword + description: | + encrypted + - name: application_category + type: keyword + description: | + application category + - name: application_sub_category + type: keyword + description: | + application sub category + - name: application_characteristics + type: keyword + description: | + application characteristics + - name: secure_web_proxy_session_type + type: keyword + description: | + secure web proxy session type + - name: peer_session_id + type: keyword + description: | + peer session id + - name: peer_source_address + type: ip + description: | + peer source address + - name: peer_source_port + type: integer + description: | + peer source port + - name: peer_destination_address + type: ip + description: | + peer destination address + - name: peer_destination_port + type: integer + description: | + peer destination port + - name: hostname + type: keyword + description: | + hostname + - name: src_vrf_grp + type: keyword + description: | + src_vrf_grp + - name: dst_vrf_grp + type: keyword + description: | + dst_vrf_grp + - name: icmp_type + type: integer + description: | + icmp type + - name: process + type: keyword + description: | + process that generated the message + - name: apbr_rule_type + type: keyword + description: | + apbr rule type + - name: dscp_value + type: integer + description: | + apbr rule type + - name: logical_system_name + type: keyword + description: | + logical system name + - name: profile_name + type: keyword + description: | + profile name + - name: routing_instance + type: keyword + description: | + routing instance + - name: rule_name + type: keyword + description: | + rule name + - name: uplink_tx_bytes + type: integer + description: | + uplink tx bytes + - name: uplink_rx_bytes + type: integer + description: | + uplink rx bytes + - name: obj + type: keyword + description: | + url path + - name: url + type: keyword + description: | + url domain + - name: profile + type: keyword + description: | + filter profile + - name: category + type: keyword + description: | + filter category + - name: filename + type: keyword + description: | + filename + - name: temporary_filename + type: keyword + description: | + temporary_filename + - name: name + type: keyword + description: | + name + - name: error_message + type: keyword + description: | + error_message + - name: error_code + type: keyword + description: | + error_code + - name: action + type: keyword + description: | + action + - name: protocol + type: keyword + description: | + protocol + - name: protocol_name + type: keyword + description: | + protocol name + - name: type + type: keyword + description: | + type + - name: repeat_count + type: integer + description: | + repeat count + - name: alert + type: keyword + description: | + repeat alert + - name: message_type + type: keyword + description: | + message type + - name: threat_severity + type: keyword + description: | + threat severity + - name: application_name + type: keyword + description: | + application name + - name: attack_name + type: keyword + description: | + attack name + - name: index + type: keyword + description: | + index + - name: message + type: keyword + description: | + mesagge + - name: epoch_time + type: date + description: | + epoch time + - name: packet_log_id + type: integer + description: | + packet log id + - name: export_id + type: integer + description: | + packet log id + - name: ddos_application_name + type: keyword + description: | + ddos application name + - name: connection_hit_rate + type: integer + description: | + connection hit rate + - name: time_scope + type: keyword + description: | + time scope + - name: context_hit_rate + type: integer + description: | + context hit rate + - name: context_value_hit_rate + type: integer + description: | + context value hit rate + - name: time_count + type: integer + description: | + time count + - name: time_period + type: integer + description: | + time period + - name: context_value + type: keyword + description: | + context value + - name: context_name + type: keyword + description: | + context name + - name: ruleebase_name + type: keyword + description: | + ruleebase name + - name: verdict_source + type: keyword + description: | + verdict source + - name: verdict_number + type: integer + description: | + verdict number + - name: file_category + type: keyword + description: | + file category + - name: sample_sha256 + type: keyword + description: | + sample sha256 + - name: malware_info + type: keyword + description: | + malware info + - name: client_ip + type: ip + description: | + client ip + - name: tenant_id + type: keyword + description: | + tenant id + - name: timestamp + type: date + description: | + timestamp + - name: th + type: keyword + description: | + th + - name: status + type: keyword + description: | + status + - name: state + type: keyword + description: | + state + - name: file_hash_lookup + type: keyword + description: | + file hash lookup + - name: file_name + type: keyword + description: | + file name + - name: action_detail + type: keyword + description: | + action detail + - name: sub_category + type: keyword + description: | + sub category + - name: feed_name + type: keyword + description: | + feed name + - name: occur_count + type: integer + description: | + occur count + - name: tag + type: keyword + description: |- + system log message tag, which uniquely identifies the message. diff --git a/packages/juniper_srx/1.3.0/data_stream/log/manifest.yml b/packages/juniper_srx/1.3.0/data_stream/log/manifest.yml new file mode 100755 index 0000000000..3ef0bbef69 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/manifest.yml @@ -0,0 +1,173 @@ +type: logs +title: Juniper SRX logs +streams: + - input: tcp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9006 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-srx + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + template_path: tcp.yml.hbs + title: Juniper SRX logs + description: Collect Juniper SRX logs via TCP + - input: udp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9006 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-srx + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: Juniper SRX logs + description: Collect Juniper SRX logs via UDP + - input: filestream + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/juniper-srx.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-srx + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: logfile.yml.hbs + title: Juniper SRX logs + description: Read Juniper SRX logs from a file diff --git a/packages/juniper_srx/1.3.0/data_stream/log/sample_event.json b/packages/juniper_srx/1.3.0/data_stream/log/sample_event.json new file mode 100755 index 0000000000..ea03571008 --- /dev/null +++ b/packages/juniper_srx/1.3.0/data_stream/log/sample_event.json @@ -0,0 +1,117 @@ +{ + "@timestamp": "2016-02-18T01:32:50.391Z", + "agent": { + "ephemeral_id": "468e3921-9867-43fa-8cc6-d8b5ccb54a25", + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "client": { + "ip": "192.168.1.100", + "port": 58071 + }, + "data_stream": { + "dataset": "juniper_srx.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "web_filter", + "agent_id_status": "verified", + "category": [ + "network", + "malware" + ], + "dataset": "juniper_srx.log", + "ingested": "2022-01-01T23:05:23Z", + "kind": "alert", + "outcome": "success", + "severity": 12, + "timezone": "+00:00", + "type": [ + "info", + "denied", + "connection" + ] + }, + "input": { + "type": "udp" + }, + "juniper": { + "srx": { + "category": "cat1", + "process": "RT_UTM", + "profile": "uf1", + "reason": "BY_BLACK_LIST", + "tag": "WEBFILTER_URL_BLOCKED" + } + }, + "log": { + "level": "warning", + "source": { + "address": "172.18.0.7:60328" + } + }, + "observer": { + "name": "utm-srx550-b", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "related": { + "hosts": [ + "www.baidu.com" + ], + "ip": [ + "192.168.1.100", + "67.43.156.13" + ], + "user": [ + "user01" + ] + }, + "server": { + "ip": "67.43.156.13", + "port": 80 + }, + "source": { + "ip": "192.168.1.100", + "port": 58071, + "user": { + "name": "user01" + } + }, + "tags": [ + "juniper-srx", + "forwarded" + ], + "url": { + "domain": "www.baidu.com", + "path": "/" + } +} \ No newline at end of file diff --git a/packages/juniper_srx/1.3.0/docs/README.md b/packages/juniper_srx/1.3.0/docs/README.md new file mode 100755 index 0000000000..cd744d7453 --- /dev/null +++ b/packages/juniper_srx/1.3.0/docs/README.md @@ -0,0 +1,870 @@ +# Juniper SRX integration + +This is an integration for ingesting logs from Juniper SRX. + +### Log + +The SRX Log integration only supports syslog messages in the format "structured-data + brief". See the [JunOS Documentation on structured-data.](https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html) + +To configure a remote syslog destination, please reference the [SRX Getting Started - Configure System Logging.](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502) +The syslog format choosen should be `Default`. + +The following processes and tags are supported: + +| JunOS processes | JunOS tags | +|-----------------|-------------------------------------------| +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | + + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| as.organization.name | Organization name. | keyword | +| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | +| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | +| client.packets | Packets sent from the client to the server. | long | +| client.port | Port of the client. | long | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.email | User email address. | keyword | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| client.user.group.name | Name of the group. | keyword | +| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| client.user.roles | Array of user roles at the time of the event. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| code_signature.exists | Boolean to capture if a signature is present. | boolean | +| code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| code_signature.subject_name | Subject name of the code signer | keyword | +| code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.email | User email address. | keyword | +| destination.user.full_name | User's full name, if available. | keyword | +| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | +| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| destination.user.group.name | Name of the group. | keyword | +| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| destination.user.roles | Array of user roles at the time of the event. | keyword | +| dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| dll.code_signature.subject_name | Subject name of the code signer | keyword | +| dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| dll.hash.md5 | MD5 hash. | keyword | +| dll.hash.sha1 | SHA1 hash. | keyword | +| dll.hash.sha256 | SHA256 hash. | keyword | +| dll.hash.sha512 | SHA512 hash. | keyword | +| dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | +| dll.path | Full file path of the library. | keyword | +| dll.pe.architecture | CPU architecture target for the file. | keyword | +| dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| dll.pe.description | Internal description of the file, provided at compile-time. | keyword | +| dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | +| error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.subject_name | Subject name of the code signer | keyword | +| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| file.created | File creation time. Note that not all filesystems store the creation time. | date | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.device | Device that is the source of the file. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.pe.architecture | CPU architecture target for the file. | keyword | +| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| file.pe.description | Internal description of the file, provided at compile-time. | keyword | +| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| file.x509.issuer.country | List of country (C) codes | keyword | +| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| file.x509.issuer.locality | List of locality names (L) | keyword | +| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| file.x509.not_before | Time at which the certificate is first considered valid. | date | +| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| file.x509.public_key_size | The size of the public key space in bits. | long | +| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| file.x509.subject.country | List of country (C) code | keyword | +| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| file.x509.subject.locality | List of locality names (L) | keyword | +| file.x509.subject.organization | List of organizations (O) of subject. | keyword | +| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.version_number | Version of x509 format. | keyword | +| geo.city_name | City name. | keyword | +| geo.continent_name | Name of the continent. | keyword | +| geo.country_iso_code | Country ISO code. | keyword | +| geo.country_name | Country name. | keyword | +| geo.location | Longitude and latitude. | geo_point | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_iso_code | Region ISO code. | keyword | +| geo.region_name | Region name. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| hash.md5 | MD5 hash. | keyword | +| hash.sha1 | SHA1 hash. | keyword | +| hash.sha256 | SHA256 hash. | keyword | +| hash.sha512 | SHA512 hash. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.body.content | The full HTTP request body. | wildcard | +| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.body.content | The full HTTP response body. | wildcard | +| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type. | keyword | +| interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| interface.name | Interface name as reported by the system. | keyword | +| juniper.srx.action | action | keyword | +| juniper.srx.action_detail | action detail | keyword | +| juniper.srx.alert | repeat alert | keyword | +| juniper.srx.apbr_rule_type | apbr rule type | keyword | +| juniper.srx.application | application | keyword | +| juniper.srx.application_category | application category | keyword | +| juniper.srx.application_characteristics | application characteristics | keyword | +| juniper.srx.application_name | application name | keyword | +| juniper.srx.application_sub_category | application sub category | keyword | +| juniper.srx.attack_name | attack name | keyword | +| juniper.srx.category | filter category | keyword | +| juniper.srx.client_ip | client ip | ip | +| juniper.srx.connection_hit_rate | connection hit rate | integer | +| juniper.srx.connection_tag | connection tag | keyword | +| juniper.srx.context_hit_rate | context hit rate | integer | +| juniper.srx.context_name | context name | keyword | +| juniper.srx.context_value | context value | keyword | +| juniper.srx.context_value_hit_rate | context value hit rate | integer | +| juniper.srx.ddos_application_name | ddos application name | keyword | +| juniper.srx.dscp_value | apbr rule type | integer | +| juniper.srx.dst_nat_rule_name | dst nat rule name | keyword | +| juniper.srx.dst_nat_rule_type | dst nat rule type | keyword | +| juniper.srx.dst_vrf_grp | dst_vrf_grp | keyword | +| juniper.srx.elapsed_time | elapsed time | date | +| juniper.srx.encrypted | encrypted | keyword | +| juniper.srx.epoch_time | epoch time | date | +| juniper.srx.error_code | error_code | keyword | +| juniper.srx.error_message | error_message | keyword | +| juniper.srx.export_id | packet log id | integer | +| juniper.srx.feed_name | feed name | keyword | +| juniper.srx.file_category | file category | keyword | +| juniper.srx.file_hash_lookup | file hash lookup | keyword | +| juniper.srx.file_name | file name | keyword | +| juniper.srx.filename | filename | keyword | +| juniper.srx.hostname | hostname | keyword | +| juniper.srx.icmp_type | icmp type | integer | +| juniper.srx.inbound_bytes | bytes from server | integer | +| juniper.srx.inbound_packets | packets from server | integer | +| juniper.srx.index | index | keyword | +| juniper.srx.logical_system_name | logical system name | keyword | +| juniper.srx.malware_info | malware info | keyword | +| juniper.srx.message | mesagge | keyword | +| juniper.srx.message_type | message type | keyword | +| juniper.srx.name | name | keyword | +| juniper.srx.nat_connection_tag | nat connection tag | keyword | +| juniper.srx.nested_application | nested application | keyword | +| juniper.srx.obj | url path | keyword | +| juniper.srx.occur_count | occur count | integer | +| juniper.srx.outbound_bytes | bytes from client | integer | +| juniper.srx.outbound_packets | packets from client | integer | +| juniper.srx.packet_log_id | packet log id | integer | +| juniper.srx.peer_destination_address | peer destination address | ip | +| juniper.srx.peer_destination_port | peer destination port | integer | +| juniper.srx.peer_session_id | peer session id | keyword | +| juniper.srx.peer_source_address | peer source address | ip | +| juniper.srx.peer_source_port | peer source port | integer | +| juniper.srx.policy_name | policy name | keyword | +| juniper.srx.process | process that generated the message | keyword | +| juniper.srx.profile | filter profile | keyword | +| juniper.srx.profile_name | profile name | keyword | +| juniper.srx.protocol | protocol | keyword | +| juniper.srx.protocol_id | protocol id | keyword | +| juniper.srx.protocol_name | protocol name | keyword | +| juniper.srx.reason | reason | keyword | +| juniper.srx.repeat_count | repeat count | integer | +| juniper.srx.roles | roles | keyword | +| juniper.srx.routing_instance | routing instance | keyword | +| juniper.srx.rule_name | rule name | keyword | +| juniper.srx.ruleebase_name | ruleebase name | keyword | +| juniper.srx.sample_sha256 | sample sha256 | keyword | +| juniper.srx.secure_web_proxy_session_type | secure web proxy session type | keyword | +| juniper.srx.service_name | service name | keyword | +| juniper.srx.session_id | session id | keyword | +| juniper.srx.session_id_32 | session id 32 | keyword | +| juniper.srx.src_nat_rule_name | src nat rule name | keyword | +| juniper.srx.src_nat_rule_type | src nat rule type | keyword | +| juniper.srx.src_vrf_grp | src_vrf_grp | keyword | +| juniper.srx.state | state | keyword | +| juniper.srx.status | status | keyword | +| juniper.srx.sub_category | sub category | keyword | +| juniper.srx.tag | system log message tag, which uniquely identifies the message. | keyword | +| juniper.srx.temporary_filename | temporary_filename | keyword | +| juniper.srx.tenant_id | tenant id | keyword | +| juniper.srx.th | th | keyword | +| juniper.srx.threat_severity | threat severity | keyword | +| juniper.srx.time_count | time count | integer | +| juniper.srx.time_period | time period | integer | +| juniper.srx.time_scope | time scope | keyword | +| juniper.srx.timestamp | timestamp | date | +| juniper.srx.type | type | keyword | +| juniper.srx.uplink_rx_bytes | uplink rx bytes | integer | +| juniper.srx.uplink_tx_bytes | uplink tx bytes | integer | +| juniper.srx.url | url domain | keyword | +| juniper.srx.username | username | keyword | +| juniper.srx.verdict_number | verdict number | integer | +| juniper.srx.verdict_source | verdict source | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Byte offset of the log line within its file. | long | +| log.source.address | Source address of the syslog message. | keyword | +| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| network.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.continent_name | Name of the continent. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| observer.geo.region_iso_code | Region ISO code. | keyword | +| observer.geo.region_name | Region name. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| observer.os.full | Operating system name, including the version or code name. | keyword | +| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | +| observer.os.kernel | Operating system kernel version as a raw string. | keyword | +| observer.os.name | Operating system name, without the version. | keyword | +| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | +| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| observer.os.version | Operating system version as a raw string. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| organization.name | Organization name. | keyword | +| organization.name.text | Multi-field of `organization.name`. | match_only_text | +| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| os.full | Operating system name, including the version or code name. | keyword | +| os.full.text | Multi-field of `os.full`. | match_only_text | +| os.kernel | Operating system kernel version as a raw string. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| os.version | Operating system version as a raw string. | keyword | +| package.architecture | Package architecture. | keyword | +| package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | +| package.checksum | Checksum of the installed package for verification. | keyword | +| package.description | Description of the package. | keyword | +| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | +| package.installed | Time when package was installed. | date | +| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | +| package.name | Package name | keyword | +| package.path | Path where the package is installed. | keyword | +| package.reference | Home page or reference URL of the software in this package, if available. | keyword | +| package.size | Package size in bytes. | long | +| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | +| package.version | Package version | keyword | +| pe.architecture | CPU architecture target for the file. | keyword | +| pe.company | Internal company name of the file, provided at compile-time. | keyword | +| pe.description | Internal description of the file, provided at compile-time. | keyword | +| pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | +| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | +| registry.data.type | Standard registry type for encoding contents | keyword | +| registry.hive | Abbreviated name for the hive. | keyword | +| registry.key | Hive-relative path of keys. | keyword | +| registry.path | Full path, including hive, key and value | keyword | +| registry.value | Name of the value written. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.license | Name of the license under which the rule used to generate this event is made available. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| rule.version | The version / revision of the rule being used for analysis. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| server.as.organization.name | Organization name. | keyword | +| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | +| server.packets | Packets sent from the server to the client. | long | +| server.port | Port of the server. | long | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.email | User email address. | keyword | +| server.user.full_name | User's full name, if available. | keyword | +| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | +| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| server.user.group.name | Name of the group. | keyword | +| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| server.user.id | Unique identifier of the user. | keyword | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| server.user.roles | Array of user roles at the time of the event. | keyword | +| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | +| service.state | Current state of the service. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | +| span.id | Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | +| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | +| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | +| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | +| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.country | List of country (C) codes | keyword | +| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.locality | List of locality names (L) | keyword | +| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.client.x509.public_key_size | The size of the public key space in bits. | long | +| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.client.x509.subject.country | List of country (C) code | keyword | +| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.client.x509.subject.locality | List of locality names (L) | keyword | +| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.version_number | Version of x509 format. | keyword | +| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | +| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | +| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | +| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | +| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | +| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | +| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | +| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | +| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.country | List of country (C) codes | keyword | +| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.locality | List of locality names (L) | keyword | +| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.server.x509.public_key_size | The size of the public key space in bits. | long | +| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.server.x509.subject.country | List of country (C) code | keyword | +| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.server.x509.subject.locality | List of locality names (L) | keyword | +| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.version_number | Version of x509 format. | keyword | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | +| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | +| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | +| vlan.id | VLAN ID as reported by the observer. | keyword | +| vlan.name | Optional VLAN name as reported by the observer. | keyword | +| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | +| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | +| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | +| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | +| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | +| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | +| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | +| vulnerability.report_id | The report or scan identification number. | keyword | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | +| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.environmental | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| x509.issuer.country | List of country (C) codes | keyword | +| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| x509.issuer.locality | List of locality names (L) | keyword | +| x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| x509.not_after | Time at which the certificate is no longer considered valid. | date | +| x509.not_before | Time at which the certificate is first considered valid. | date | +| x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| x509.public_key_size | The size of the public key space in bits. | long | +| x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| x509.subject.common_name | List of common names (CN) of subject. | keyword | +| x509.subject.country | List of country (C) code | keyword | +| x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| x509.subject.locality | List of locality names (L) | keyword | +| x509.subject.organization | List of organizations (O) of subject. | keyword | +| x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| x509.version_number | Version of x509 format. | keyword | diff --git a/packages/juniper_srx/1.3.0/img/logo.svg b/packages/juniper_srx/1.3.0/img/logo.svg new file mode 100755 index 0000000000..8802414a5a --- /dev/null +++ b/packages/juniper_srx/1.3.0/img/logo.svg @@ -0,0 +1,72 @@ + +image/svg+xml \ No newline at end of file diff --git a/packages/juniper_srx/1.3.0/manifest.yml b/packages/juniper_srx/1.3.0/manifest.yml new file mode 100755 index 0000000000..f191409b24 --- /dev/null +++ b/packages/juniper_srx/1.3.0/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: juniper_srx +title: Juniper SRX +version: 1.3.0 +description: Collect logs from Juniper SRX devices with Elastic Agent. +categories: ["network", "security"] +release: ga +license: basic +type: integration +conditions: + kibana.version: ^8.0.0 +policy_templates: + - name: juniper + title: Juniper SRX logs + description: Collect Juniper SRX logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Juniper SRX via UDP + description: Collecting syslog from Juniper SRX via UDP. + - type: tcp + title: Collect logs from Juniper SRX via TCP + description: Collecting syslog from Juniper SRX via TCP. + - type: filestream + title: Collect logs from Juniper SRX via file + description: Collecting syslog from Juniper SRX via file. +icons: + - src: /img/logo.svg + title: Juniper logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/microsoft_dhcp/1.4.1/changelog.yml b/packages/microsoft_dhcp/1.4.1/changelog.yml new file mode 100755 index 0000000000..536493b701 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/changelog.yml @@ -0,0 +1,56 @@ +# newer versions go on top +- version: "1.4.1" + changes: + - description: Format observer.mac as per ECS and add missing mappings for event.category, event.outcome, and event.type. + type: bugfix + link: https://github.com/elastic/integrations/pull/3300 +- version: "1.4.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "1.3.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2423 +- version: "1.2.0" + changes: + - description: Add DHCPv6 Server support + type: enhancement + link: https://github.com/elastic/integrations/pull/2473 +- version: "1.1.0" + changes: + - description: Add more event.action and event.outcome values + type: enhancement + link: https://github.com/elastic/integrations/pull/2296 +- version: "1.0.0" + changes: + - description: GA integration + type: enhancement + link: https://github.com/elastic/integrations/pull/2360 +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2276 +- version: "0.1.1" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1972 +- version: "0.1.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1793 diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/microsoft_dhcp/1.4.1/data_stream/log/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..2b61987446 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/agent/stream/logfile.yml.hbs @@ -0,0 +1,32 @@ +paths: +{{#each paths as |path i|}} + - '{{path}}' +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} +processors: +- drop_event: + when: + not: + regexp: + message: "^[0-9]+,.*" +- add_observer_metadata: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..5f2a5b4cad --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,63 @@ +--- +description: Pipeline for processing Microsoft DHCP Server logs. +processors: + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: event + - set: + field: event.timezone + value: "{{{_conf.tz_offset}}}" + if: "ctx?._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'" + - set: + field: event.original + override: false + copy_from: message + - remove: + field: message + ignore_missing: true + - rename: + field: message + target_field: event.original + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "dhcp" }}' + if: "ctx?.log?.file?.path != null && !ctx.log.file.path.contains('V6')" + - pipeline: + name: '{{ IngestPipeline "dhcpv6" }}' + if: "ctx?.log?.file?.path != null && ctx.log.file.path.contains('V6')" + - foreach: + field: observer.mac + ignore_missing: true + processor: + gsub: + field: _ingest._value + pattern: '[:]' + replacement: '-' + - foreach: + field: observer.mac + ignore_missing: true + processor: + uppercase: + field: _ingest._value + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - _tmp_ + - _conf + ignore_missing: true +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + - remove: + field: + - _tmp_ + - _conf diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml new file mode 100755 index 0000000000..6f891b51df --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml @@ -0,0 +1,345 @@ +--- +## Reference document for DHCP field mapping: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10) +description: Pipeline for processing Microsoft DHCP Server logs. +processors: + - csv: + field: event.original + target_fields: + - event.code + - _tmp_.date + - _tmp_.time + - message + - host.ip + - host.domain + - _tmp_.mac + - user.name + - microsoft.dhcp.transaction_id + - microsoft.dhcp.result + - microsoft.dhcp.probation_time + - microsoft.dhcp.correlation_id + - microsoft.dhcp.dhc_id + - microsoft.dhcp.vendor.hex + - microsoft.dhcp.vendor.string + - microsoft.dhcp.user.hex + - microsoft.dhcp.user.string + - microsoft.dhcp.relay_agent_info + - microsoft.dhcp.dns_error_code + ignore_failure: true + - set: + field: _tmp_.timestamp + value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" + - date: + field: _tmp_.timestamp + formats: + - "MM/dd/yy HH:mm:ss" + timezone: "{{{event.timezone}}}" + - script: + description: Set event action, category, outcome, and type for all known event types. + lang: painless + tag: Add ECS categorization fields + params: + "00": + action: log-start + category: + - process + type: + - start + "01": + action: log-end + category: + - process + type: + - end + "02": + action: log-pause + category: + - process + type: + - change + outcome: failure + "10": + action: dhcp-new + category: + - network + type: + - allowed + - connection + "11": + action: dhcp-renew + category: + - network + type: + - allowed + - connection + "12": + action: dhcp-release + category: + - network + type: + - allowed + - connection + "13": + category: + - network + type: + - connection + "14": + category: + - network + type: + - connection + - denied + outcome: failure + "15": + action: dhcp-deny + category: + - network + type: + - connection + - denied + outcome: failure + "16": + action: dhcp-delete + category: + - network + type: + - connection + "17": + action: dhcp-expire + category: + - network + type: + - connection + "18": + action: dhcp-expire + category: + - network + type: + - connection + "20": + category: + - network + type: + - allowed + - connection + "21": + category: + - network + type: + - allowed + - connection + "22": + category: + - network + type: + - connection + - denied + outcome: failure + "23": + category: + - network + type: + - connection + - denied + outcome: failure + "24": + action: ip-cleanup-start + category: + - process + type: + - start + "25": + action: ip-cleanup-end + category: + - process + type: + - start + "30": + action: dhcp-dns-update + category: + - network + type: + - connection + "31": + action: dhcp-dns-update + category: + - network + type: + - connection + outcome: failure + "32": + action: dhcp-dns-update + category: + - network + type: + - connection + "33": + category: + - network + type: + - connection + outcome: failure + "34": + action: dhcp-dns-update + category: + - network + type: + - connection + outcome: failure + "35": + action: dhcp-dns-update + category: + - network + type: + - connection + - denied + outcome: failure + "36": + category: + - network + type: + - connection + - denied + outcome: failure + "50": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + outcome: failure + "51": + action: rogue-server-detection + category: + - authentication + - network + type: + - allowed + - connection + "52": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "53": + action: rogue-server-detection + category: + - authentication + - network + type: + - allowed + - connection + "54": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + - denied + outcome: failure + "55": + action: rogue-server-detection + category: + - authentication + - network + type: + - allowed + - connection + "56": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + - denied + outcome: failure + "57": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "58": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + outcome: failure + "59": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + outcome: failure + "60": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "61": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "62": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "63": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "64": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - set: + field: event.outcome + value: success + if: ctx?.event?.outcome == null + - gsub: + field: _tmp_.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + - uppercase: + field: _tmp_.mac + ignore_missing: true + - append: + if: ctx?._tmp_?.mac != null + field: host.mac + value: '{{{_tmp_.mac}}}' +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml new file mode 100755 index 0000000000..cb33e6d7e7 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml @@ -0,0 +1,244 @@ +--- +description: Pipeline for processing Microsoft DHCPv6 Server logs. +processors: + - csv: + field: event.original + target_fields: + - event.code + - _tmp_.date + - _tmp_.time + - message + - host.ip + - host.domain + - microsoft.dhcp.error_code + - microsoft.dhcp.duid.length + - microsoft.dhcp.duid.hex + - microsoft.dhcp.user.string + - microsoft.dhcp.dhc_id + - microsoft.dhcp.subnet_prefix + ignore_failure: true + - set: + field: _tmp_.timestamp + value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" + - date: + field: _tmp_.timestamp + formats: + - "MM/dd/yy HH:mm:ss" + timezone: "{{{event.timezone}}}" + - script: + description: Set event action, category, outcome, and type for all known event types. + lang: painless + tag: Add ECS categorization fields + params: + "11000": + action: dhcpv6-solicit + category: + - network + type: + - connection + - protocol + "11001": + action: dhcpv6-advertise + category: + - network + type: + - connection + - protocol + "11002": + action: dhcpv6-request + category: + - network + type: + - connection + - protocol + "11003": + action: dhcpv6-confirm + category: + - network + type: + - connection + - protocol + "11004": + action: dhcpv6-renew + category: + - network + type: + - connection + - protocol + "11005": + action: dhcpv6-rebind + category: + - network + type: + - connection + - protocol + "11006": + action: dhcpv6-decline + category: + - network + type: + - connection + - protocol + outcome: failure + "11007": + action: dhcpv6-release + category: + - network + type: + - connection + "11008": + action: dhcpv6-info-request + category: + - network + type: + - connection + "11009": + action: dhcpv6-scope-full + category: + - network + type: + - connection + "11010": + action: log-start + category: + - process + type: + - start + "11011": + action: log-stop + category: + - process + type: + - stop + "11012": + action: log-pause + category: + - process + type: + - change + "11013": + action: log-file + category: + - process + type: + - info + "11014": + action: dhcpv6-bad-address + category: + - network + type: + - connection + outcome: failure + "11015": + action: dhcpv6-address-in-use + category: + - network + type: + - connection + "11016": + action: dhcpv6-client-deleted + category: + - network + type: + - connection + "11017": + action: ipv6-dns-record-not-deleted + category: + - network + type: + - connection + "11018": + action: dhcpv6-expired + category: + - network + type: + - connection + "11019": + action: dhcpv6-lease-expired-deleted + category: + - network + type: + - connection + "11020": + action: dhcpv6-cleanup-start + category: + - process + type: + - start + "11021": + action: dhcpv6-cleanup-end + category: + - process + type: + - end + "11022": + action: ipv6-dns-update-request + category: + - network + type: + - connection + - start + "11023": + action: ipv6-dns-update-failed + category: + - network + type: + - connection + - end + outcome: failure + "11024": + action: ipv6-dns-update-successful + category: + - network + type: + - connection + - end + "11028": + action: ipv6-dns-update-request-queue-exceeded + category: + - network + type: + - connection + - end + outcome: failure + "11029": + action: ipv6-dns-update-request-failed + category: + - network + type: + - connection + - end + outcome: failure + "11030": + action: dhcpv6-stateless-clients-pruged + category: + - process + type: + - change + "11031": + action: dhcpv6-stateless-clients-expired + category: + - process + type: + - change + "11032": + action: dhcpv6-stateless-client-info-request + category: + - network + type: + - info + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - set: + field: event.outcome + value: success + if: ctx?.event?.outcome == null +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/agent.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..dbed2e68dc --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/agent.yml @@ -0,0 +1,4 @@ +- name: input.type + type: keyword +- name: log.offset + type: long diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/base-fields.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..096db185c7 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: microsoft_dhcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: microsoft_dhcp.log diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/ecs.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..6d56ae30e7 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,103 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Name of the domain of which the host is a member. + For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + name: host.domain + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/fields.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..3d7eebb86c --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/fields/fields.yml @@ -0,0 +1,63 @@ +- name: microsoft.dhcp + type: group + fields: + - name: transaction_id + type: keyword + description: | + The DHCP transaction ID. + - name: result + type: keyword + description: | + The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. + - name: probation_time + type: keyword + description: | + The probation time before lease ends on specific IP. + - name: correlation_id + type: keyword + description: | + The NAP correlation ID related to the client/server transaction. + - name: dhc_id + type: keyword + description: | + The related DHCID (DHC DNS record). + - name: vendor.hex + type: keyword + description: | + Hex representation of the vendor. + - name: vendor.string + type: keyword + description: | + String representation of the vendor. + - name: user.hex + type: keyword + description: | + Hex representation of the user. + - name: user.string + type: keyword + description: | + String representation of the user. + - name: relay_agent_info + type: keyword + description: | + Information about DHCP relay agent used for the DHCP request. + - name: dns_error_code + type: keyword + description: | + DNS error code communicated to client. + - name: error_code + type: keyword + description: | + DHCP server error code. + - name: duid.length + type: keyword + description: | + The length of the DUID field. + - name: duid.hex + type: keyword + description: | + The related DHCP Unique Identifier (DUID) for the host (DHCPv6). + - name: subnet_prefix + type: keyword + description: | + The number of bits for the subnet prefix. diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/manifest.yml b/packages/microsoft_dhcp/1.4.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..092f44f2b0 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/manifest.yml @@ -0,0 +1,50 @@ +title: "Microsoft DHCP Logs" +type: logs +streams: + - input: logfile + template_path: logfile.yml.hbs + title: DHCP Logs + description: Collects Microsoft DHCP logs. + vars: + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: paths + type: text + title: Paths + multi: true + show_user: true + default: + - 'C:\Windows\System32\DHCP\DhcpSrvLog-*.log' + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - microsoft_dhcp + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/microsoft_dhcp/1.4.1/data_stream/log/sample_event.json b/packages/microsoft_dhcp/1.4.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..fc2dbc6524 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/data_stream/log/sample_event.json @@ -0,0 +1,77 @@ +{ + "agent": { + "name": "docker-fleet-agent", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "type": "filebeat", + "ephemeral_id": "adc79855-a07e-4f88-b14d-79d03400f73d", + "version": "8.2.0" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-dhcpV6.log" + }, + "offset": 1619 + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "version": "8.2.0", + "snapshot": false + }, + "message": "DHCPV6 Request", + "microsoft": { + "dhcp": { + "duid": { + "length": "18", + "hex": "0004A34473BFC27FC55B25E86AF0E1761DAA" + } + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "microsoft_dhcp" + ], + "observer": { + "hostname": "docker-fleet-agent", + "ip": [ + "172.18.0.7" + ], + "mac": [ + "02-42-AC-12-00-07" + ] + }, + "input": { + "type": "log" + }, + "@timestamp": "2021-12-06T12:43:57.000-05:00", + "ecs": { + "version": "8.3.0" + }, + "data_stream": { + "namespace": "ep", + "type": "logs", + "dataset": "microsoft_dhcp.log" + }, + "host": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "domain": "test-host" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-05-09T14:40:22Z", + "original": "11002,12/06/21,12:43:57,DHCPV6 Request,2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,test-host,,18,0004A34473BFC27FC55B25E86AF0E1761DAA,,,,,", + "code": "11002", + "timezone": "America/New_York", + "kind": "event", + "action": "dhcpv6-request", + "category": [ + "network" + ], + "type": [ + "connection", + "protocol" + ], + "dataset": "microsoft_dhcp.log", + "outcome": "success" + } +} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.4.1/docs/README.md b/packages/microsoft_dhcp/1.4.1/docs/README.md new file mode 100755 index 0000000000..4a669c1370 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/docs/README.md @@ -0,0 +1,148 @@ +# Microsoft DHCP + +This integration collects logs and metrics from Microsoft DHCP logs. + +## Compatibility + +This integration has been made to support the DHCP log format from Windows Server 2008 and later. + +### Logs + +Ingest logs from Microsoft DHCP Server, by default logged with the filename format: +`%windir%\System32\DHCP\DhcpSrvLog-*.log` + +Logs may also be ingested from Microsoft DHCPv6 Server, by default logged with the filename format: +`%windir%\System32\DHCP\DhcpV6SrvLog-*.log` + +Relevant documentation for Microsoft DHCP can be found on [this]https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10) location. + +An example event for `log` looks as following: + +```json +{ + "agent": { + "name": "docker-fleet-agent", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "type": "filebeat", + "ephemeral_id": "adc79855-a07e-4f88-b14d-79d03400f73d", + "version": "8.2.0" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-dhcpV6.log" + }, + "offset": 1619 + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "version": "8.2.0", + "snapshot": false + }, + "message": "DHCPV6 Request", + "microsoft": { + "dhcp": { + "duid": { + "length": "18", + "hex": "0004A34473BFC27FC55B25E86AF0E1761DAA" + } + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "microsoft_dhcp" + ], + "observer": { + "hostname": "docker-fleet-agent", + "ip": [ + "172.18.0.7" + ], + "mac": [ + "02-42-AC-12-00-07" + ] + }, + "input": { + "type": "log" + }, + "@timestamp": "2021-12-06T12:43:57.000-05:00", + "ecs": { + "version": "8.3.0" + }, + "data_stream": { + "namespace": "ep", + "type": "logs", + "dataset": "microsoft_dhcp.log" + }, + "host": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "domain": "test-host" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-05-09T14:40:22Z", + "original": "11002,12/06/21,12:43:57,DHCPV6 Request,2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,test-host,,18,0004A34473BFC27FC55B25E86AF0E1761DAA,,,,,", + "code": "11002", + "timezone": "America/New_York", + "kind": "event", + "action": "dhcpv6-request", + "category": [ + "network" + ], + "type": [ + "connection", + "protocol" + ], + "dataset": "microsoft_dhcp.log", + "outcome": "success" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| input.type | | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| microsoft.dhcp.correlation_id | The NAP correlation ID related to the client/server transaction. | keyword | +| microsoft.dhcp.dhc_id | The related DHCID (DHC DNS record). | keyword | +| microsoft.dhcp.dns_error_code | DNS error code communicated to client. | keyword | +| microsoft.dhcp.duid.hex | The related DHCP Unique Identifier (DUID) for the host (DHCPv6). | keyword | +| microsoft.dhcp.duid.length | The length of the DUID field. | keyword | +| microsoft.dhcp.error_code | DHCP server error code. | keyword | +| microsoft.dhcp.probation_time | The probation time before lease ends on specific IP. | keyword | +| microsoft.dhcp.relay_agent_info | Information about DHCP relay agent used for the DHCP request. | keyword | +| microsoft.dhcp.result | The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. | keyword | +| microsoft.dhcp.subnet_prefix | The number of bits for the subnet prefix. | keyword | +| microsoft.dhcp.transaction_id | The DHCP transaction ID. | keyword | +| microsoft.dhcp.user.hex | Hex representation of the user. | keyword | +| microsoft.dhcp.user.string | String representation of the user. | keyword | +| microsoft.dhcp.vendor.hex | Hex representation of the vendor. | keyword | +| microsoft.dhcp.vendor.string | String representation of the vendor. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/microsoft_dhcp/1.4.1/img/logo.svg b/packages/microsoft_dhcp/1.4.1/img/logo.svg new file mode 100755 index 0000000000..5334aa7ca6 --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.4.1/manifest.yml b/packages/microsoft_dhcp/1.4.1/manifest.yml new file mode 100755 index 0000000000..3d1815229e --- /dev/null +++ b/packages/microsoft_dhcp/1.4.1/manifest.yml @@ -0,0 +1,27 @@ +format_version: 1.0.0 +name: microsoft_dhcp +title: Microsoft DHCP +version: "1.4.1" +license: basic +description: Collect logs from Microsoft DHCP with Elastic Agent. +type: integration +categories: + - network +release: ga +conditions: + kibana.version: ^7.14.0 || ^8.0.0 +icons: + - src: /img/logo.svg + title: Microsoft logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: microsoft_dhcp + title: Microsoft DHCP + description: Collect Microsoft DHCP logs. + inputs: + - type: logfile + title: Logs from file + description: Collect DHCP logs from file. +owner: + github: elastic/security-external-integrations diff --git a/packages/mimecast/0.0.12/changelog.yml b/packages/mimecast/0.0.12/changelog.yml new file mode 100755 index 0000000000..e1c6960642 --- /dev/null +++ b/packages/mimecast/0.0.12/changelog.yml @@ -0,0 +1,72 @@ +- version: "0.0.12" + changes: + - description: Add more use cases for parsing audit events. + type: enhancement + link: https://github.com/elastic/integrations/pull/3231 +- version: "0.0.11" + changes: + - description: Update integration description for consistency with other integrations. + type: enhancement + link: https://github.com/elastic/integrations/pull/3193 + - description: Add missing ECS event.* field mappings. + type: bugfix + link: https://github.com/elastic/integrations/pull/3193 +- version: "0.0.10" + changes: + - description: Add more use cases to audit_events pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/3116 + - description: Implement geo.ip for siem logs + type: enhancement + link: https://github.com/elastic/integrations/pull/3116 + - description: Remove user part for ttp-url logs and add email.to.address for recipient + type: enhancement + link: https://github.com/elastic/integrations/pull/3116 +- version: "0.0.9" + changes: + - description: Update ecs to version 8.2.0 and implement better practice for email ECS fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/2841 +- version: "0.0.8" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.0.7" + changes: + - description: Add content-disposition to test mock to properly create sample event from SIEM logs. + type: bugfix + link: https://github.com/elastic/integrations/pull/2739 +- version: "0.0.6" + changes: + - description: Add use cases for audit events and update sample events and docs + type: enhancement + link: https://github.com/elastic/integrations/pull/2690 +- version: "0.0.5" + changes: + - description: Fix typo + type: bugfix + link: https://github.com/elastic/integrations/pull/2644 + - description: Add 8.0.0 compatibility, fix team name in manifest, and remove redundant `event.ingested` from pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/2683 +- version: "0.0.4" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.0.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.0.2" + changes: + - description: Tweaking the dashboards + type: enhancement + link: https://github.com/elastic/integrations/pull/2289 +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/2157 diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/audit_events/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..7d7a875d1a --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/agent/stream/httpjson.yml.hbs @@ -0,0 +1,51 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: +- set: + target: body.meta.pagination.pageSize + value: 500 +- set: + target: body.data + value: '[{"endDateTime": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "startDateTime":"[[.cursor.next_date]]"}]' + default: '[{"endDateTime": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "startDateTime":"[[formatDate (now (parseDuration "-{{interval}}")) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json +- set: + target: header.x-mc-app-id + value: {{app_id}} +- set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' +- set: + target: header.x-mc-req-id + value: '[[uuid]]' +- set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/audit/get-audit-events:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true +response.decode_as: application/json +response.split: + target: body.data +response.pagination: +- set: + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + fail_on_template_error: true +cursor: + next_date: + value: '[[.first_event.eventTime]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0284d026c9 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,337 @@ +--- +description: Pipeline for processing Mimecast audit_events. +processors: + # Generic event/ecs fields we always want to populate. + - set: + field: ecs.version + value: "8.2.0" + - rename: + field: message + target_field: event.original + - json: + description: Parse 'message' JSON contents into a 'mimecast' object. + field: event.original + target_field: mimecast + - drop: + if: ctx?.mimecast?.eventTime == null + - date: + description: Use 'mimecast.eventTime' as the '@timestamp' + field: mimecast.eventTime + timezone: UTC + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + - "yyyy-MM-dd'T'HH:mm:ss z" + + ### + + # Convert 'mimecast.auditType' to a bone-cased event action. + # ie: User Log On -> user-log-on + - lowercase: + field: mimecast.auditType + ignore_missing: true + - gsub: + field: mimecast.auditType + pattern: " " + replacement: "-" + ignore_missing: true + - rename: + field: mimecast.auditType + target_field: event.action + ignore_missing: true + ### + + # User fields + - rename: + field: mimecast.user + target_field: user.email + ignore_missing: true + - rename: + field: mimecast.id + target_field: event.id + ignore_missing: true + ### + # Here we want to add as much categorization information as possible + # We can do this by parsing mimecast.eventInfo differently based on + # what event.action is, etc. + ### + - dissect: + field: mimecast.eventInfo + pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" + if: 'ctx.event?.action=="logon-authentication-failed"' + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.eventInfo + pattern: "%{mimecast.info}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time} %{mimecast.timezone}, %{?key}: : %{client.ip},, %{?key}: %{mimecast.application}, %{?key}: %{event.reason}" + if: 'ctx.event?.action=="logon-authentication-failed"' + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.eventInfo + pattern: "%{mimecast.info}, %{?key} : %{mimecast.date}, %{?key} : %{mimecast.time}, %{?key} : %{client.ip}, %{?key} : %{mimecast.application}, %{mimecast.remote}" + if: 'ctx.event?.action=="logon-authentication-failed"' + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.eventInfo + pattern: "%{mimecast.info}, %{mimecast.rest_of_event_info}" + if: 'ctx.mimecast?.info == null' + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.eventInfo + pattern: "%{?drop->} - %{mimecast.info}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" + if: 'ctx.event?.action=="folder-log-entry" || ctx.event?.action=="custom-report-definition-created" || ctx.event?.action=="mimecast-support-login"' + ignore_missing: true + ignore_failure: true + - kv: + field: mimecast.rest_of_event_info + field_split: ", " + value_split: ": " + target_field: mimecast.event_info_parts + ignore_failure: true + ignore_missing: true + - set: + field: mimecast.remote + value: "{{{mimecast.rest_of_event_info}}}" + if: 'ctx.event?.action=="user-logged-on" && ctx?.mimecast?.event_info_parts?.IP == null' + - grok: + field: mimecast.remote + patterns: + - "%{IP:mimecast.remote_ip}" + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Date + target_field: mimecast.date + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Time + target_field: mimecast.time + ignore_missing: true + - rename: + field: mimecast.event_info_parts.IP + target_field: client.ip + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Application + target_field: mimecast.application + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Method + target_field: mimecast.method + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Reason + target_field: event.reason + ignore_missing: true + - rename: + field: mimecast.info + target_field: mimecast.filename + ignore_missing: true + if: 'ctx.event?.action == "threat-intel-feed-download"' + - rename: + field: mimecast.event_info_parts.Processed + target_field: email.origination_timestamp + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.event_info_parts.2FA + target_field: mimecast.2FA + ignore_missing: true + - dissect: + field: mimecast.event_info_parts.From + pattern: "<%{?drop}> %{email.from.address}" + if: 'ctx.event?.action=="message-action"' + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.event_info_parts.To + pattern: "<%{?drop}> %{email.to.address}" + if: 'ctx.event?.action=="message-action"' + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.eventInfo + pattern: "[%{?key} : %{mimecast.export_type},%{?key} :%{mimecast.export_name},%{?key} :%{user.email},%{?key} :%{mimecast.weekday} %{mimecast.month} %{mimecast.monthday} %{mimecast.time} %{mimecast.timezone} %{mimecast.year},%{?key} :%{client.ip},%{?key} :%{mimecast.columns_exported},%{?key} : %{file.name},%{?key}: %{file.size},%{?key} : %{file.extension}], %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" + if: 'ctx.event?.action=="page-data-exports"' + ignore_missing: true + ignore_failure: true + - grok: + field: mimecast.rest_of_event_info + patterns: + - "%{IP:client.ip}" + ignore_missing: true + ignore_failure: true + if: 'ctx?.event?.action=="user-logged-on" && ctx?.mimecast?.event_info_parts?.IP == null' + - set: + field: email.from.address + value: ["{{{email.from.address}}}"] + if: "ctx?.email?.from?.address != null" + - set: + field: email.to.address + value: ["{{{email.to.address}}}"] + if: "ctx?.email?.to?.address != null" + - dissect: + field: email.from.address + pattern: "<%{email.from.address}>" + ignore_missing: true + ignore_failure: true + - dissect: + field: email.to.address + pattern: "<%{email.to.address}>" + ignore_missing: true + ignore_failure: true + - convert: + field: file.size + type: long + ignore_missing: true + - split: + field: user.email + separator: "@" + target_field: user.parts + if: 'ctx?.user?.email != null' + - set: + field: user.name + copy_from: user.parts.0 + if: 'ctx?.user?.parts !=null && ctx?.user?.parts.length > 1' + - set: + field: user.domain + copy_from: user.parts.1 + if: 'ctx?.user?.parts !=null && ctx?.user?.parts.length > 1' + - rename: + field: mimecast.filename + target_field: file.name + ignore_missing: true + if: 'ctx?.mimecast?.filename != null && ctx?.event?.action == "threat-intel-feed-download"' + - split: + field: file.name + separator: "\\." + target_field: file.parts + if: 'ctx?.file?.name != null && ctx?.event?.action == "threat-intel-feed-download"' + - script: + lang: painless + source: | + ctx.file.extension = ctx.file.parts[ctx.file.parts.length-1]; + if: 'ctx?.file?.parts !=null && ctx?.file?.parts.length > 1' + - set: + field: event.created + value: "{{mimecast.date}} {{mimecast.time}}" + if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' + - date: + field: event.created + target_field: event.created + timezone: UTC + formats: + - yyyy-MM-dd HH:mm:ssZ + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssz + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.Sz + - yyyy-MM-dd'T'HH:mm:ss.SZ + - yyyy-MM-dd'T'HH:mm:ss.SSz + - yyyy-MM-dd'T'HH:mm:ss.SSZ + - yyyy-MM-dd'T'HH:mm:ss.SSSz + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy-MM-dd'T'HH:mm:ss z + if: 'ctx?.event?.created != null' + - geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: client.ip + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: client.as.asn + target_field: client.as.number + ignore_missing: true + - rename: + field: client.as.organization_name + target_field: client.as.organization.name + ignore_missing: true + - append: + field: related.ip + value: "{{client.ip}}" + allow_duplicates: false + if: 'ctx?.client?.ip !=null' + - append: + field: related.user + value: "{{user.name}}" + allow_duplicates: false + if: 'ctx?.user?.name !=null' + - append: + field: related.user + value: "{{user.email}}" + allow_duplicates: false + if: ctx?.user?.email != null + - lowercase: + field: email.direction + ignore_missing: true + # Cleanup + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast.eventTime + - user.parts + - mimecast.date + - mimecast.time + - file.parts + - mimecast.info + - mimecast.type + - mimecast.search + - mimecast.description + - mimecast.product + - mimecast.provider + - mimecast.filename + - mimecast.criteria + - mimecast.viewed + - mimecast.timezone + - mimecast.byuser + - mimecast.export_type + - mimecast.export_name + - mimecast.weekday + - mimecast.month + - mimecast.monthday + - mimecast.year + - mimecast.columns_exported + - mimecast.as.asn + - mimecast.organization_name + - mimecast.event_info_parts + - mimecast.rest_of_event_info + + ignore_missing: true + - remove: + description: Remove 'event.original' if 'preserve_original_event' is not set. + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + - remove: + description: Remove 'source.ip' if 'auditType' is not set. + field: source.ip + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + + + ### + +# Error handling +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/audit_events/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/audit_events/fields/base-fields.yml new file mode 100755 index 0000000000..d705e5e80a --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.audit_events +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/audit_events/fields/ecs.yml new file mode 100755 index 0000000000..21c305bd20 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/fields/ecs.yml @@ -0,0 +1,116 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. + name: email.origination_timestamp + type: date +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/fields/field.yml b/packages/mimecast/0.0.12/data_stream/audit_events/fields/field.yml new file mode 100755 index 0000000000..ba9562dc64 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/fields/field.yml @@ -0,0 +1,30 @@ +- name: mimecast + type: group + fields: + - name: category + type: keyword + description: The category of the event. + - name: eventInfo + type: keyword + description: The detailed event information. + - name: application + type: keyword + description: The Mimecast unique id of the event. + - name: email.metadata + type: keyword + description: The email meta data from audit info. + - name: email.address + type: keyword + description: Email address from event info. + - name: method + type: keyword + description: Method which triggers audit events. + - name: 2FA + type: keyword + description: Info about two-factor authentication. + - name: remote + type: keyword + description: Info about remote IP trying to access the API. + - name: remote_ip + type: ip + description: Remote IP. diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/manifest.yml b/packages/mimecast/0.0.12/data_stream/audit_events/manifest.yml new file mode 100755 index 0000000000..bf4c853456 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/manifest.yml @@ -0,0 +1,77 @@ +title: "Audit Events Mimecast Logs" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Audit events + description: Collect audit Events Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 5m + - name: api_url + type: text + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/audit/get-audit-events + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-audit-events + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/audit_events/sample_event.json b/packages/mimecast/0.0.12/data_stream/audit_events/sample_event.json new file mode 100755 index 0000000000..8cb763e52d --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/audit_events/sample_event.json @@ -0,0 +1,55 @@ +{ + "@timestamp": "2021-11-16T12:01:37.000Z", + "agent": { + "ephemeral_id": "a52ffcd4-9b76-4efd-bc6d-4afebe1b20d6", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.audit_events", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "search-action", + "agent_id_status": "verified", + "created": "2022-05-09T10:21:38.573Z", + "dataset": "mimecast.audit_events", + "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", + "ingested": "2022-05-09T10:21:39Z", + "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "category": "case_review_logs", + "eventInfo": "Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" + }, + "related": { + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-audit-events" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0f2331d944 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs @@ -0,0 +1,50 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: + - set: + target: body.data + value: '[{"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.eventTime]]"}]' + default: '[{"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-{{interval}}")) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: {{app_id}} + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: "[[uuid]]" + - set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/dlp/get-logs:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true +response.decode_as: application/json +response.split: + target: body.data + split: + target: body.dlpLogs +response.pagination: +- set: + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + fail_on_template_error: true +cursor: +next_date: + value: '[[.first_event.eventTime]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..df5a832b74 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,91 @@ +--- +description: Pipeline for processing Mimecast dlp_logs. +processors: + # Generic event/ecs fields we always want to populate. + - set: + field: ecs.version + value: "8.2.0" + - rename: + field: message + target_field: event.original + - json: + description: Parse 'message' JSON contents into a 'mimecast' object. + field: event.original + target_field: mimecast + - drop: + if: ctx?.mimecast?.eventTime == null + - date: + description: Use 'mimecast.eventTime' as the '@timestamp' + field: mimecast.eventTime + timezone: UTC + formats: + - yyyy-MM-dd'T'HH:mm:ssZ + + ### + - append: + field: email.from.address + value: "{{{mimecast.senderAddress}}}" + if: "ctx?.mimecast?.senderAddress != null" + - append: + field: email.to.address + value: "{{{mimecast.recipientAddress}}}" + if: "ctx?.mimecast?.recipientAddress != null" + - dissect: + field: email.from.address + pattern: "<%{email.from.address}>" + ignore_missing: true + ignore_failure: true + - dissect: + field: email.to.address + pattern: "<%{email.to.address}>" + ignore_missing: true + ignore_failure: true + - rename: + field: mimecast.action + target_field: event.action + ignore_missing: true + if: 'ctx?.mimecast?.action !=null' + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + if: 'ctx?.mimecast?.subject !=null' + - rename: + field: mimecast.messageId + target_field: email.message_id + ignore_missing: true + if: 'ctx?.mimecast?.messageId !=null' + - rename: + field: mimecast.route + target_field: email.direction + ignore_missing: true + if: 'ctx?.mimecast?.route !=null' + - rename: + field: mimecast.policy + target_field: rule.name + ignore_missing: true + if: 'ctx?.mimecast?.policy !=null' + - set: + field: event.created + value: "{{mimecast.eventTime}}" + if: 'ctx?.mimecast?.eventTime != null' + - lowercase: + field: email.direction + ignore_missing: true + # Cleanup + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast + ignore_missing: true + - remove: + description: Remove 'event.original' if 'preserve_original_event' is not set. + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + +# Error handling +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/base-fields.yml new file mode 100755 index 0000000000..7b49c3eae7 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.dlp_logs +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/ecs.yml new file mode 100755 index 0000000000..a2768b6011 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/dlp_logs/fields/ecs.yml @@ -0,0 +1,48 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The direction of the message based on the sending and receiving domains. + name: email.direction + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + name: email.message_id + type: wildcard +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/dlp_logs/manifest.yml b/packages/mimecast/0.0.12/data_stream/dlp_logs/manifest.yml new file mode 100755 index 0000000000..2d228f27fb --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/dlp_logs/manifest.yml @@ -0,0 +1,77 @@ +title: "DLP Mimecast Logs" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: DLP Logs + description: Collect DLP Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 5m + - name: api_url + type: text + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/dlp/get-logs + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-dlp-logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/dlp_logs/sample_event.json b/packages/mimecast/0.0.12/data_stream/dlp_logs/sample_event.json new file mode 100755 index 0000000000..34736d2869 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/dlp_logs/sample_event.json @@ -0,0 +1,57 @@ +{ + "@timestamp": "2021-11-18T21:41:18.000Z", + "agent": { + "ephemeral_id": "0461fb9e-2359-4960-9036-461e4763582d", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.dlp_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "\u003c\u003e" + ] + }, + "message_id": "\u003c20211118214115.B346F10021D@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", + "to": { + "address": [ + "johndoe@example.com" + ] + } + }, + "event": { + "action": "notification", + "agent_id_status": "verified", + "created": "2021-11-18T21:41:18+0000", + "dataset": "mimecast.dlp_logs", + "ingested": "2022-05-09T10:22:29Z", + "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" + }, + "input": { + "type": "httpjson" + }, + "rule": { + "name": "Content Inspection - Watermark" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-dlp-logs" + ] +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/siem_logs/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..f9f6fe91f3 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/agent/stream/httpjson.yml.hbs @@ -0,0 +1,55 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: + - set: + target: body.data + value: '[{"type":"MTA","fileFormat":"json", "compress":false, "token": "[[.cursor.next_token]]"}]' + default: '[{"type":"MTA","fileFormat":"json", "compress":false}]' + value_type: json + - set: + target: header.x-mc-app-id + value: {{app_id}} + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: "[[uuid]]" + - set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/audit/get-siem-logs:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true + - set: + target: header.Accept + value: '*/*' +response.decode_as: application/json +response.split: + transforms: + - set: + target: body.Content-Disposition + value: '[[.last_response.header.Get "Content-Disposition"]]' + target: body.data +response.pagination: + - set: + target: body.data + value: '[{"type":"MTA","fileFormat":"json", "compress":false, "token": "[[.last_response.header.Get "mc-siem-token"]]"}]' + value_type: json +cursor: + next_token: + value: '[[.last_response.header.Get "mc-siem-token"]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7a3fd06dc6 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,410 @@ +--- +description: Pipeline for processing Mimecast siem_logs. +processors: + # Generic event/ecs fields we always want to populate. + - set: + field: ecs.version + value: "8.2.0" + - rename: + field: message + target_field: event.original + - json: + description: Parse 'message' JSON contents into a 'mimecast' object. + field: event.original + target_field: mimecast + - drop: + if: ctx?.mimecast?.datetime == null + - date: + description: Use 'mimecast.datetime' as the '@timestamp' + field: mimecast.datetime + timezone: UTC + formats: + - yyyy-MM-dd'T'HH:mm:ssZ + + ### RECEIPT LOGS + - rename: + field: mimecast.aCode + target_field: email.local_id + ignore_missing: true + if: 'ctx?.mimecast?.aCode !=null' + - rename: + field: mimecast.Act + target_field: event.action + ignore_missing: true + if: 'ctx?.mimecast?.Act !=null' + - rename: + field: mimecast.Cphr + target_field: tls.cipher + ignore_missing: true + if: 'ctx?.mimecast?.Cphr !=null' + - rename: + field: mimecast.Dir + target_field: email.direction + ignore_missing: true + if: 'ctx?.mimecast?.Dir !=null' + - rename: + field: mimecast.Error + target_field: error.message + ignore_missing: true + if: 'ctx?.mimecast?.Error !=null' + - rename: + field: mimecast.IP + target_field: source.ip + ignore_missing: true + if: 'ctx?.mimecast?.IP !=null' + - rename: + field: mimecast.MsgId + target_field: email.message_id + ignore_missing: true + if: 'ctx?.mimecast?.MsgId !=null' + - rename: + field: mimecast.Rcpt + target_field: email.to.address + ignore_missing: true + if: 'ctx?.mimecast?.Rcpt !=null' + - append: + field: email.to.address + value: "{{{mimecast.Rcpt}}}" + allow_duplicates: false + if: "ctx?.mimecast?.Rcpt != null" + - append: + field: email.from.address + value: '{{{mimecast.headerFrom}}}' + allow_duplicates: false + if: ctx.mimecast?.headerFrom != null + - rename: + field: mimecast.RejCode + target_field: error.code + ignore_missing: true + if: 'ctx?.mimecast?.RejCode !=null' + - rename: + field: mimecast.RejInfo + target_field: event.reason + ignore_missing: true + if: 'ctx?.mimecast?.RejInfo !=null' + - rename: + field: mimecast.RejType + target_field: error.type + ignore_missing: true + if: 'ctx?.mimecast?.RejType !=null' + - append: + field: email.from.address + value: "{{{mimecast.Sender}}}" + allow_duplicates: false + if: "ctx?.mimecast?.Sender != null" + - rename: + field: mimecast.Subject + target_field: email.subject + ignore_missing: true + if: 'ctx?.mimecast?.Subject !=null' + - rename: + field: mimecast.TlsVer + target_field: tls.version + ignore_missing: true + if: 'ctx?.mimecast?.TlsVer !=null' + ### PROCESS LOGS + - rename: + field: mimecast.AttSize + target_field: email.attachments.file.size + ignore_missing: true + if: 'ctx?.mimecast?.AttSize !=null' + - rename: + field: mimecast.AttNames + target_field: email.attachments.file.name + ignore_missing: true + if: 'ctx?.mimecast?.AttNames !=null' + - rename: + field: mimecast.Hld + target_field: event.reason + ignore_missing: true + if: 'ctx?.mimecast?.Hld !=null' + ### DELIVERY LOGS + - rename: + field: mimecast.Err + target_field: error.message + ignore_missing: true + if: 'ctx?.mimecast?.Err !=null' + - rename: + field: mimecast.Route + target_field: rule.name + ignore_missing: true + if: 'ctx?.mimecast?.Route !=null' + - rename: + field: mimecast.UseTls + target_field: tls.established + ignore_missing: true + if: 'ctx?.mimecast?.UseTls !=null' + ### AV LOGS + - rename: + field: mimecast.fileExt + target_field: email.attachments.file.extension + ignore_missing: true + if: 'ctx?.mimecast?.fileExt !=null' + - rename: + field: mimecast.fileMime + target_field: email.attachments.file.mime_type + ignore_missing: true + if: 'ctx?.mimecast?.fileMime !=null' + - rename: + field: mimecast.md5 + target_field: email.attachments.file.hash.md5 + ignore_missing: true + if: 'ctx?.mimecast?.md5 !=null' + - rename: + field: mimecast.Recipient + target_field: email.to.address + ignore_missing: true + if: 'ctx?.mimecast?.Recipient !=null' + - append: + field: email.to.address + value: "{{{mimecast.Recipient}}}" + if: "ctx?.mimecast?.Recipient != null" + - rename: + field: mimecast.SenderDomain + target_field: source.domain + ignore_missing: true + if: 'ctx?.mimecast?.SenderDomain !=null' + - rename: + field: mimecast.sha1 + target_field: email.attachments.file.hash.sha1 + ignore_missing: true + if: 'ctx?.mimecast?.sha1 !=null' + - rename: + field: mimecast.sha256 + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + if: 'ctx?.mimecast?.sha256 !=null' + - rename: + field: mimecast.Size + target_field: email.attachments.file.size + ignore_missing: true + if: 'ctx?.mimecast?.Size !=null' + - rename: + field: mimecast.fileName + target_field: email.attachments.file.name + ignore_missing: true + if: 'ctx?.mimecast?.fileName !=null' + ### SPAM EVENT THREAD LOGS + - rename: + field: mimecast.SourceIP + target_field: source.ip + ignore_missing: true + if: 'ctx?.mimecast?.SourceIP !=null' + ### SIEM Email Protect Logs + - rename: + field: mimecast.URL + target_field: url.full + ignore_missing: true + if: 'ctx?.mimecast?.URL !=null' + ### SIEM Impersonation logs + - rename: + field: mimecast.Action + target_field: event.action + ignore_missing: true + if: 'ctx?.mimecast?.Action !=null' + - rename: + field: mimecast.Definition + target_field: rule.name + ignore_missing: true + if: 'ctx?.mimecast?.Definition !=null' + - rename: + field: mimecast.NewDomain + target_field: source.domain + ignore_missing: true + if: 'ctx?.mimecast?.NewDomain !=null' + ### SIEM TTP Url Logs + - rename: + field: mimecast.reason + target_field: event.reason + ignore_missing: true + if: 'ctx?.mimecast?.reason !=null' + - rename: + field: mimecast.recipient + target_field: email.to.address + ignore_missing: true + if: 'ctx?.mimecast?.recipient !=null' + - append: + field: email.to.address + value: "{{{mimecast.recipient}}}" + if: "ctx?.mimecast?.recipient != null" + - rename: + field: mimecast.route + target_field: email.direction + ignore_missing: true + if: 'ctx?.mimecast?.route !=null' + - append: + field: email.from.address + value: "{{{mimecast.sender}}}" + allow_duplicates: false + if: "ctx?.mimecast?.sender != null" + - rename: + field: mimecast.senderDomain + target_field: source.domain + ignore_missing: true + if: 'ctx?.mimecast?.senderDomain !=null' + - rename: + field: mimecast.sourceIp + target_field: source.ip + ignore_missing: true + if: 'ctx?.mimecast?.sourceIp !=null' + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + if: 'ctx?.mimecast?.subject !=null' + - rename: + field: mimecast.url + target_field: url.full + ignore_missing: true + if: 'ctx?.mimecast?.url !=null' + - rename: + field: mimecast.action + target_field: event.action + ignore_missing: true + if: 'ctx?.mimecast?.action !=null' + - dissect: + field: mimecast.Content-Disposition + pattern: "%{?drop->}=\"%{mimecast.log_type}.%{?drop->}" + ignore_missing: true + - split: + field: mimecast.log_type + separator: "_" + target_field: mimecast.log_type_parts + if: 'ctx?.mimecast?.log_type != null' + - set: + field: mimecast.log_type_part1 + copy_from: mimecast.log_type_parts.0 + if: 'ctx?.mimecast?.log_type_parts !=null' + - set: + field: mimecast.log_type_part2 + copy_from: mimecast.log_type_parts.1 + if: 'ctx?.mimecast?.log_type_parts !=null' + - set: + field: mimecast.log_type + value: "{{mimecast.log_type_part1}}" + if: 'ctx?.mimecast?.log_type_part1 != "ttp"' + ignore_failure: true + - set: + field: mimecast.log_type + value: "{{mimecast.log_type_part1}}_{{mimecast.log_type_part2}}" + if: 'ctx?.mimecast?.log_type_part1 =="ttp"' + ignore_failure: true + - set: + field: event.created + value: "{{mimecast.datetime}}" + if: 'ctx?.mimecast?.datetime != null' + - set: + field: tls.established + value: false + if: 'ctx?.tls?.established == "No"' + - set: + field: tls.established + value: true + if: 'ctx?.tls?.established == "Yes"' + - rename: + field: mimecast.Delivered + target_field: event.outcome + ignore_missing: true + if: 'ctx?.mimecast?.Delivered !=null' + - set: + field: event.outcome + value: "success" + if: 'ctx?.event?.outcome ==true' + - set: + field: event.outcome + value: "failure" + if: 'ctx?.event?.outcome ==false' + - set: + field: event.outcome + value: "unknown" + if: 'ctx?.event?.outcome ==null' + - lowercase: + field: email.direction + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - dissect: + field: email.from.address + pattern: "<%{email.from.address}>" + ignore_missing: true + ignore_failure: true + - dissect: + field: email.to.address + pattern: "<%{email.to.address}>" + ignore_missing: true + ignore_failure: true + + # Cleanup + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast.eventTime + - mimecast.Content-Disposition + - mimecast.datetime + - mimecast.headerFrom + - mimecast.log_type_part1 + - mimecast.log_type_part2 + - mimecast.log_type_parts + - mimecast.sender + - mimecast.Sender + ignore_missing: true + - remove: + description: Remove 'mimecast.RecieptApk' if null + field: mimecast.ReceiptAck + if: 'ctx?.mimecast?.ReceiptAck == null' + ignore_missing: true + - remove: + description: Remove 'mimecast.AttNames' if null + field: mimecast.AttNames + if: 'ctx?.mimecast?.AttNames == null' + ignore_missing: true + - remove: + description: Remove 'mimecast.MsgId' if null + field: mimecast.MsgId + if: 'ctx?.mimecast?.MsgId == null' + ignore_missing: true + - remove: + description: Remove 'mimecast.Subject' if null + field: mimecast.Subject + if: 'ctx?.mimecast?.Subject == null' + ignore_missing: true + - remove: + description: Remove 'event.original' if 'preserve_original_event' is not set. + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + - remove: + description: Remove 'mimecast.credentialTheft' if null + field: mimecast.credentialTheft + if: 'ctx?.mimecast?.credentialTheft == null' + ignore_missing: true + - remove: + description: Remove 'mimecast.msgid' if null + field: mimecast.msgid + if: 'ctx?.mimecast?.msgid == null' + ignore_missing: true + ### + +# Error handling +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/base-fields.yml new file mode 100755 index 0000000000..aa70102a06 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.siem_logs +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/ecs.yml new file mode 100755 index 0000000000..f81e549060 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/ecs.yml @@ -0,0 +1,165 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Attachment file extension, excluding the leading dot. + name: email.attachments.file.extension + type: keyword +- description: MD5 hash. + name: email.attachments.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: email.attachments.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: email.attachments.file.hash.sha256 + type: keyword +- description: |- + The MIME media type of the attachment. + This value will typically be extracted from the `Content-Type` MIME header field. + name: email.attachments.file.mime_type + type: keyword +- description: Name of the attachment file including the file extension. + name: email.attachments.file.name + type: keyword +- description: Name of the attachment file including the file extension. + name: email.attachments.file.name + type: keyword +- description: Attachment file size in bytes. + name: email.attachments.file.size + type: long +- description: The direction of the message based on the sending and receiving domains. + name: email.direction + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: |- + Unique identifier given to the email by the source that created the event. + Identifier is not persistent across hops. + name: email.local_id + type: keyword +- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + name: email.message_id + type: wildcard +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: The type of the error, for example the class name of the exception. + name: error.type + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: String indicating the cipher used during the current connection. + name: tls.cipher + type: keyword +- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + name: tls.established + type: boolean +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: User email address. + name: user.email + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/fields/field.yml b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/field.yml new file mode 100755 index 0000000000..3c6761095a --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/fields/field.yml @@ -0,0 +1,139 @@ +- name: mimecast + type: group + fields: + ### Receipt logs + - name: acc + type: keyword + description: The Mimecast account code for your account. + - name: SpamInfo + type: keyword + description: Information from Mimecast Spam scanners for messages found to be Spam. + - name: SpamLimit + type: long + description: The Spam limit defined for the given sender and recipient. + - name: SpamProcessingDetail + type: keyword + description: The Spam processing details for DKIM, SPF, DMARC. + - name: SpamScore + type: long + description: The Spam score the email was given. + - name: Virus + type: keyword + description: The name of the virus found on the email, if applicable. + - name: MsgId + type: keyword + description: The internet message id of the email. + - name: Subject + type: keyword + description: The subject of the email, limited to 150 characters. + #### Process logs + - name: AttCnt + type: long + description: The number of attachments on the email. + - name: IPInternalName + type: keyword + description: For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detected to be from an internal user name. + - name: IPNewDomain + type: keyword + description: For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detected to be from a new domain. + - name: IPReplyMismatch + type: keyword + description: For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detetced to have a mismatch in the reply to address. + - name: IPSimilarDomain + type: keyword + description: For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain. + - name: IPThreadDict + type: keyword + description: For emails subject to Targeted Threat Protection - Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. + - name: MsgSize + type: long + description: The total size of the email. + - name: AttNames + type: keyword + description: The filenames of all attachments on the email. + ### Delivery logs + - name: Attempt + type: long + description: The count of attempts that the Mimecast MTA has made to deliver the email. + - name: Latency + type: long + description: The time in milliseconds that the delivery attempt took. + - name: ReceiptAck + type: keyword + description: The receipt acknowledgment message received by Mimecast from the receiving mail server. + - name: Snt + type: long + description: The amount of data in bytes that were delivered. + ### AV Logs + - name: CustomerIP + type: keyword + description: The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. + - name: MimecastIP + type: keyword + description: The source IP is one of the Mimecast' IPs e.g. Mimecast Personal Portal. + - name: SenderDomainInternal + type: keyword + description: The sender domain is a registered internal domain. + ### Spam Event Thread Logs + - name: ScanResultInfo + ### Siem Email Protect Logs + + type: keyword + description: The reason that the click was blocked. + - name: UrlCategory + type: keyword + description: The category of the URL that was clicked. + ### Siem Impersonation Logs + - name: CustomName + type: keyword + description: The message has matched a custom name. + - name: CustomThreatDictionary + type: keyword + description: The content of the email was detected to contain words in a custom threat dictionary. + - name: Hits + type: keyword + description: Number of items flagged for the message. + - name: InternalName + type: keyword + description: The email was detected to be from an internal user name. + - name: ReplyMismatch + type: keyword + description: The reply address does not correspond to the senders address. + - name: SimilarCustomExternalDomain + type: keyword + description: The senders domain is similar to a custom external domain list. + - name: SimilarInternalDomain + type: keyword + description: The senders domain is similar to a registered internal domain. + - name: SimilarMimecastExternalDomain + type: keyword + description: The senders domain is similar to a Mimecast managed list of domains. + - name: TaggedExternal + type: keyword + description: The message has been tagged as originating from a external source. + - name: TaggedMalicious + type: keyword + description: The message has been tagged as malicious. + - name: ThreatDictionary + type: keyword + description: The content of the email was detected to contain words in the Mimecast threat dictionary. + ### SIEM TTP Url Protect Logs + - name: urlCategory + type: keyword + description: The category of the URL that was clicked. + - name: credentialTheft + type: keyword + description: The info about credential theft. + ### SIEM Journal Logs + - name: RcptHdrType + type: keyword + description: Type of the receipt header. + - name: RcptActType + type: keyword + description: Action after reception. + - name: log_type + type: keyword + description: String to get type of SIEM log. + - name: msgid + type: keyword + description: The internet message id of the email. diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/manifest.yml b/packages/mimecast/0.0.12/data_stream/siem_logs/manifest.yml new file mode 100755 index 0000000000..652c5f6943 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/manifest.yml @@ -0,0 +1,77 @@ +title: "SIEM Mimecast Logs" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: SIEM logs + description: Collect SIEM Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 0.5s + - name: api_url + type: password + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/audit/get-siem-logs + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-siem-logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/siem_logs/sample_event.json b/packages/mimecast/0.0.12/data_stream/siem_logs/sample_event.json new file mode 100755 index 0000000000..d901e45851 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/siem_logs/sample_event.json @@ -0,0 +1,57 @@ +{ + "@timestamp": "2021-11-12T12:15:46.000Z", + "agent": { + "ephemeral_id": "d683003b-9e59-4e3d-91fe-3b3411c5946f", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.siem_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "local_id": "fjihpfEgM_iRwemxhe3t_w", + "to": { + "address": "o365_service_account@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "created": "2021-11-12T12:15:46+0000", + "dataset": "mimecast.siem_logs", + "ingested": "2022-05-09T10:23:21Z", + "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "outcome": "unknown" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "RcptActType": "Jnl", + "RcptHdrType": "Unknown", + "acc": "ABC123", + "log_type": "jrnl" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-siem-logs" + ] +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..e2dae615a0 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/agent/stream/httpjson.yml.hbs @@ -0,0 +1,52 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: +- set: + target: body.data + value: '[{"feedType": "malware_customer","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (.cursor.next_date) "2006-01-02T15:04:05+0700"]]"}]' + default: '[{"feedType": "malware_customer","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (now (parseDuration "-{{interval}}")) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json +- set: + target: header.x-mc-app-id + value: {{app_id}} +- set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' +- set: + target: header.x-mc-req-id + value: "[[uuid]]" +- set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/ttp/threat-intel/get-feed:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true +response.decode_as: application/json +response.split: + transforms: + - set: + target: body.Content-Disposition + value: '[[.last_response.header.Get "Content-Disposition"]]' + target: body.objects +response.pagination: +- set: + target: body.data + value: '[{"feedType": "malware_customer","fileType": "stix","compress": false,"token": "[[.last_response.header.Get "x-mc-threat-feed-next-token"]]","end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[.cursor.next_date]]"}]' + value_type: json +cursor: + next_date: + value: '[[.first_event.created]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..cfe9e34819 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,223 @@ +--- +description: Pipeline for parsing Mimecast - Threat Intel Feed Malware Customer Logs +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: mimecast + - drop: + if: 'ctx.mimecast?.type != "indicator"' + - fingerprint: + fields: + - mimecast.id + target_field: "_id" + ignore_missing: true + + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - date: + field: mimecast.created + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.mimecast?.created != null" + - date: + field: mimecast.modified + target_field: threat.indicator.modified_at + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.mimecast?.modified != null" + - date: + field: mimecast.valid_from + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.mimecast?.valid_from != null" + - dissect: + field: mimecast.pattern + pattern: "[%{_tmp.threattype}:%{mimecast.pattern_value}.'%{mimecast.pattern_hash_type}' = '%{_tmp.threatvalue}']" + if: 'ctx.mimecast?.pattern != null' + - set: + field: mimecast.value + value: "{{_tmp.threatvalue}}" + if: 'ctx?._tmp?.threatvalue != null' + - set: + field: mimecast.hashtype + value: "{{mimecast.pattern_hash_type}}" + if: 'ctx?.mimecast?.pattern_hash_type != null' + - rename: + field: _tmp.threattype + target_field: threat.indicator.type + ignore_missing: true + ignore_failure: true + - rename: + field: mimecast.value + target_field: threat.indicator.file.hash.sha256 + ignore_missing: true + if: 'ctx?.mimecast?.hashtype == "SHA-256"' + - rename: + field: mimecast.value + target_field: threat.indicator.file.hash.sha1 + ignore_missing: true + if: 'ctx?.mimecast?.hashtype == "SHA-1"' + - rename: + field: mimecast.value + target_field: threat.indicator.file.hash.md5 + ignore_missing: true + if: 'ctx?.mimecast?.hashtype == "MD-5"' + - append: + field: related.hash + value: "{{threat.indicator.file.hash.sha256}}" + allow_duplicates: false + if: 'ctx?.mimecast?.hashtype == "SHA-256"' + - append: + field: related.hash + value: "{{threat.indicator.file.hash.sha1}}" + allow_duplicates: false + if: 'ctx?.mimecast?.hashtype == "SHA-1"' + - append: + field: related.hash + value: "{{threat.indicator.file.hash.md5}}" + allow_duplicates: false + if: 'ctx?.mimecast?.hashtype == "MD-5"' + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + - foreach: + field: mimecast.labels + ignore_missing: true + processor: + append: + field: tags + value: "{{_ingest._value}}" + allow_duplicates: false + - grok: + field: mimecast.description + patterns: + - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}" + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.Content-Disposition + pattern: "%{?drop->}=\"%{mimecast.logtype_part.1}_%{mimecast.logtype_part.2}_%{?drop->}" + ignore_missing: true + - set: + field: mimecast.log_type + value: "{{mimecast.logtype_part.1}}_{{mimecast.logtype_part.2}}" + if: 'ctx?.mimecast?.logtype_part?.1 != null && ctx?.mimecast?.logtype_part?.2 != null' + - rename: + field: mimecast.name + target_field: email.attachments.file.name + ignore_missing: true + if: 'ctx?.mimecast?.name != null' + - split: + field: email.attachments.file.name + separator: "\\." + target_field: file.parts + if: 'ctx?.email?.attachments?.file?.name != null' + - script: + lang: painless + source: | + ctx.email.attachments.file.name = ctx.file.parts[0]; + if: 'ctx?.file?.parts !=null && ctx?.file?.parts.length > 1' + - script: + lang: painless + source: | + ctx.email.attachments.file.extension = ctx.file.parts[ctx.file.parts.length-1]; + if: 'ctx?.file?.parts !=null && ctx?.file?.parts.length > 1' + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - mimecast.created + - message + - _tmp + - mimecast.pattern_value + - mimecast.pattern_hash_type + - mimecast.hashtype + - mimecast.value + - mimecast.Content-Disposition + - mimecast.logtype_part + - mimecast.modified + - mimecast.valid_from + - file.parts + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/base-fields.yml new file mode 100755 index 0000000000..ea3b377344 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.threat_intel_malware_customer +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/ecs.yml new file mode 100755 index 0000000000..da191efded --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/ecs.yml @@ -0,0 +1,86 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last modified information for this indicator. + name: threat.indicator.modified_at + type: date +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/field.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/field.yml new file mode 100755 index 0000000000..08f642ecee --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/fields/field.yml @@ -0,0 +1,73 @@ +- name: mimecast + type: group + fields: + - name: id + type: keyword + description: > + The ID of the indicator. + + - name: value + type: keyword + description: > + The value of the indicator. + + - name: modified + type: date + description: > + When the indicator was last modified. + + - name: created + type: date + description: > + When the indicator was last created. + + - name: labels + type: keyword + description: > + The labels related to the indicator. + + - name: type + type: keyword + description: > + The indicator type, can for example be "domain, email, FileHash-SHA256". + + - name: valid_from + type: date + description: > + The valid from date. + + - name: pattern + type: keyword + description: > + The pattern. + + - name: hashtype + type: keyword + description: > + The hash type. + + - name: log_type + type: keyword + description: > + String to get type of Threat intel feed. + + - name: name + type: keyword + description: > + Name of the file. + + - name: relationship_type + type: keyword + description: > + Type of the relationship. + + - name: source_ref + type: keyword + description: > + Source of the reference. + + - name: target_ref + type: keyword + description: > + Reference target. + diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/manifest.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/manifest.yml new file mode 100755 index 0000000000..e172edd986 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/manifest.yml @@ -0,0 +1,77 @@ +title: "Threat Intel Feed - Malware Customer" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Threat Intel Feed - Malware Customer Logs + description: Collect Threat Intel Feed - Malware Customer Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 5m + - name: api_url + type: password + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/ttp/threat-intel/get-feed + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-threat-intel-feed-malware-customer + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/sample_event.json b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/sample_event.json new file mode 100755 index 0000000000..796de4adfd --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_customer/sample_event.json @@ -0,0 +1,67 @@ +{ + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "11e300ff-bc6a-4674-9452-d4fb167b7d59", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_customer", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-05-09T10:24:11.849Z", + "dataset": "mimecast.threat_intel_malware_customer", + "ingested": "2022-05-09T10:24:12Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" + }, + "related": { + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-customer", + "malicious-activity" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + } + }, + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", + "type": "file" + } + } +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..b0107c1a95 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/agent/stream/httpjson.yml.hbs @@ -0,0 +1,52 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: +- set: + target: body.data + value: '[{"feedType": "malware_grid","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (.cursor.next_date) "2006-01-02T15:04:05+0700"]]"}]' + default: '[{"feedType": "malware_grid","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (now (parseDuration "-{{interval}}")) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json +- set: + target: header.x-mc-app-id + value: {{app_id}} +- set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' +- set: + target: header.x-mc-req-id + value: "[[uuid]]" +- set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/ttp/threat-intel/get-feed:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true +response.decode_as: application/json +response.split: + transforms: + - set: + target: body.Content-Disposition + value: '[[.last_response.header.Get "Content-Disposition"]]' + target: body.objects +response.pagination: +- set: + target: body.data + value: '[{"feedType": "malware_grid","fileType": "stix","compress": false,"token": "[[.last_response.header.Get "x-mc-threat-feed-next-token"]]","end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[.cursor.next_date]]"}]' + value_type: json +cursor: + next_date: + value: '[[.first_event.created]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..470f6aab32 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,222 @@ +--- +description: Pipeline for parsing Mimecast - Threat Intel Feed Malware Grid Logs +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: mimecast + - drop: + if: 'ctx.mimecast?.type != "indicator"' + - fingerprint: + fields: + - mimecast.id + target_field: "_id" + ignore_missing: true + + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - date: + field: mimecast.created + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.mimecast?.created != null" + - date: + field: mimecast.modified + target_field: threat.indicator.modified_at + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.mimecast?.modified != null" + - date: + field: mimecast.valid_from + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.mimecast?.valid_from != null" + - dissect: + field: mimecast.pattern + pattern: "[%{_tmp.threattype}:%{mimecast.pattern_value}.'%{mimecast.pattern_hash_type}' = '%{_tmp.threatvalue}']" + if: 'ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - set: + field: mimecast.value + value: "{{_tmp.threatvalue}}" + if: 'ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - set: + field: mimecast.hashtype + value: "{{mimecast.pattern_hash_type}}" + if: 'ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - rename: + field: _tmp.threattype + target_field: threat.indicator.type + ignore_missing: true + if: 'ctx?.mimecast?.pattern != null' + - rename: + field: mimecast.value + target_field: threat.indicator.file.hash.sha256 + ignore_missing: true + if: 'ctx?.mimecast?.hashtype == "SHA-256" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - rename: + field: mimecast.value + target_field: threat.indicator.file.hash.sha1 + ignore_missing: true + if: 'ctx?.mimecast?.hashtype == "SHA-1" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - rename: + field: mimecast.value + target_field: threat.indicator.file.hash.md5 + ignore_missing: true + if: 'ctx?.mimecast?.hashtype == "MD-5" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - append: + field: related.hash + value: "{{threat.indicator.file.hash.sha256}}" + allow_duplicates: false + if: 'ctx?.mimecast?.hashtype == "SHA-256" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - append: + field: related.hash + value: "{{threat.indicator.file.hash.sha1}}" + allow_duplicates: false + if: 'ctx?.mimecast?.hashtype == "SHA-1" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - append: + field: related.hash + value: "{{threat.indicator.file.hash.md5}}" + allow_duplicates: false + if: 'ctx?.mimecast?.hashtype == "MD-5" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' + - set: + field: threat.indicator.type + value: unknown + if: 'ctx?.threat?.indicator?.type == null' + - foreach: + field: mimecast.labels + ignore_missing: true + processor: + append: + field: tags + value: "{{_ingest._value}}" + allow_duplicates: false + - grok: + field: mimecast.description + patterns: + - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}" + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.Content-Disposition + pattern: "%{?drop->}=\"%{mimecast.logtype_part.1}_%{mimecast.logtype_part.2}_%{?drop->}" + ignore_missing: true + - set: + field: mimecast.log_type + value: "{{mimecast.logtype_part.1}}_{{mimecast.logtype_part.2}}" + if: 'ctx?.mimecast?.logtype_part != null' + - rename: + field: mimecast.name + target_field: email.attachments.file.name + ignore_missing: true + - split: + field: email.attachments.file.name + separator: "\\." + target_field: file.parts + if: 'ctx?.email?.attachments?.file?.name != null' + - script: + lang: painless + source: | + ctx.email.attachments.file.name = ctx.file.parts[0]; + if: 'ctx?.file?.parts !=null && ctx?.file?.parts.length > 1' + - script: + lang: painless + source: | + ctx.email.attachments.file.extension = ctx.file.parts[ctx.file.parts.length-1]; + if: 'ctx?.file?.parts !=null && ctx?.file?.parts.length > 1' + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - mimecast.created + - message + - _tmp + - mimecast.pattern_value + - mimecast.pattern_hash_type + - mimecast.hashtype + - mimecast.value + - mimecast.Content-Disposition + - mimecast.logtype_part + - mimecast.modified + - mimecast.valid_from + - file.parts + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/base-fields.yml new file mode 100755 index 0000000000..f6a6e618f8 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.threat_intel_malware_grid +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/ecs.yml new file mode 100755 index 0000000000..da191efded --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/ecs.yml @@ -0,0 +1,86 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last modified information for this indicator. + name: threat.indicator.modified_at + type: date +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/field.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/field.yml new file mode 100755 index 0000000000..1bd3638cb5 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/fields/field.yml @@ -0,0 +1,53 @@ +- name: mimecast + type: group + fields: + - name: id + type: keyword + description: The ID of the indicator. + - name: value + type: keyword + description: The value of the indicator. + - name: modified + type: date + description: When the indicator was last modified. + - name: created + type: date + description: When the indicator was last created. + - name: labels + type: keyword + description: The labels related to the indicator. + - name: type + type: keyword + description: The indicator type, can for example be "domain, email, FileHash-SHA256". + - name: valid_from + type: date + description: The valid from date. + - name: pattern + type: keyword + description: The pattern. + - name: hashtype + type: keyword + description: The hash type. + - name: log_type + type: keyword + description: String to get type of Threat intel feed. + - name: name + type: keyword + description: > + Name of the file. + + - name: relationship_type + type: keyword + description: > + Type of the relationship. + + - name: source_ref + type: keyword + description: > + Source of the reference. + + - name: target_ref + type: keyword + description: > + Reference target. + diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/manifest.yml b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/manifest.yml new file mode 100755 index 0000000000..c14bb673bc --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/manifest.yml @@ -0,0 +1,77 @@ +title: "Threat Intel Feed - Malware Grid" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Threat Intel Feed - Malware Grid Logs + description: Collect Threat Intel Feed - Malware Grid Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 5m + - name: api_url + type: text + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/ttp/threat-intel/get-feed + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-threat-intel-feed-malware-grid + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/sample_event.json b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/sample_event.json new file mode 100755 index 0000000000..124245172d --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/threat_intel_malware_grid/sample_event.json @@ -0,0 +1,67 @@ +{ + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "d4b2c0c8-5d78-4482-9e6b-4b5a6d55e652", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_grid", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-05-09T10:25:08.535Z", + "dataset": "mimecast.threat_intel_malware_grid", + "ingested": "2022-05-09T10:25:09Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" + }, + "related": { + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-grid", + "malicious-activity" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + } + }, + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", + "type": "file" + } + } +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..26ffd8cdc3 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/agent/stream/httpjson.yml.hbs @@ -0,0 +1,50 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: +- set: + target: body.data + value: '[{"oldestFirst": false, "route": "all", "result":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.next_date]]"}]' + default: '[{"oldestFirst": false, "route": "all", "result":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-{{interval}}")) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json +- set: + target: header.x-mc-app-id + value: {{app_id}} +- set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' +- set: + target: header.x-mc-req-id + value: "[[uuid]]" +- set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/ttp/attachment/get-logs:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true +response.decode_as: application/json +response.split: + target: body.data + split: + target: body.attachmentLogs +response.pagination: +- set: + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + fail_on_template_error: true +cursor: +next_date: + value: '[[.first_event.date]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0e3a8902ab --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,135 @@ +--- +description: Pipeline for processing Mimecast ttp_ap_logs. +processors: + # Generic event/ecs fields we always want to populate. + - set: + field: ecs.version + value: "8.2.0" + - rename: + field: message + target_field: event.original + - json: + description: Parse 'message' JSON contents into a 'mimecast' object. + field: event.original + target_field: mimecast + - drop: + if: ctx?.mimecast?.date == null + - date: + description: Use 'mimecast.date' as the '@timestamp' + field: mimecast.date + timezone: UTC + formats: + - yyyy-MM-dd'T'HH:mm:ssZ + - append: + field: email.from.address + value: "{{{mimecast.senderAddress}}}" + if: "ctx?.mimecast?.senderAddress != null" + ignore_failure: true + - append: + field: email.to.address + value: "{{{mimecast.recipientAddress}}}" + if: "ctx?.mimecast?.recipientAddress != null" + ignore_failure: true + - dissect: + field: email.from.address + pattern: "<%{email.from.address}>" + ignore_missing: true + ignore_failure: true + - dissect: + field: email.to.address + pattern: "<%{email.to.address}>" + ignore_missing: true + ignore_failure: true + - gsub: + field: mimecast.actionTriggered + pattern: "," + replacement: "" + ignore_missing: true + - gsub: + field: mimecast.actionTriggered + pattern: " " + replacement: "_" + ignore_missing: true + - rename: + field: mimecast.actionTriggered + target_field: event.action + ignore_missing: true + if: 'ctx?.mimecast?.actionTriggered !=null' + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + if: 'ctx?.mimecast?.subject !=null' + - rename: + field: mimecast.messageId + target_field: email.message_id + ignore_missing: true + if: 'ctx?.mimecast?.messageId !=null' + - rename: + field: mimecast.route + target_field: email.direction + ignore_missing: true + if: 'ctx?.mimecast?.route !=null' + - rename: + field: mimecast.fileName + target_field: email.attachments.file.name + ignore_missing: true + if: 'ctx?.mimecast?.fileName !=null' + - rename: + field: mimecast.definition + target_field: rule.name + ignore_missing: true + if: 'ctx?.mimecast?.definition !=null' + - rename: + field: mimecast.fileHash + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + if: 'ctx.mimecast?.fileHash != null && ctx.mimecast.fileHash.length() == 64' + - rename: + field: mimecast.fileType + target_field: email.attachments.file.mime_type + ignore_missing: true + if: 'ctx?.mimecast?.fileType !=null' + - set: + field: event.created + value: "{{mimecast.date}}" + if: 'ctx?.mimecast?.date != null' + - split: + field: email.attachments.file.name + separator: "\\." + target_field: file.parts + if: 'ctx?.email?.attachments?.file?.name != null' + - script: + lang: painless + source: | + ctx.email.attachments.file.extension = ctx.file.parts[ctx.file.parts.length-1]; + if: 'ctx?.file?.parts !=null && ctx?.file?.parts.length > 1' + - append: + field: related.hash + value: "{{{email.attachments.file.hash.sha256}}}" + allow_duplicates: false + if: ctx.email?.attachments?.file?.hash?.sha256 != null + - lowercase: + field: email.direction + ignore_missing: true + ### Cleanup + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast.date + - file.parts + - file + - mimecast.senderAddress + - mimecast.recipientAddress + ignore_missing: true + - remove: + description: Remove 'event.original' if 'preserve_original_event' is not set. + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + +# Error handling +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/base-fields.yml new file mode 100755 index 0000000000..d63e6b34a0 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.ttp_ap_logs +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/ecs.yml new file mode 100755 index 0000000000..fff261443d --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/ecs.yml @@ -0,0 +1,75 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Attachment file extension, excluding the leading dot. + name: email.attachments.file.extension + type: keyword +- description: SHA256 hash. + name: email.attachments.file.hash.sha256 + type: keyword +- description: |- + The MIME media type of the attachment. + This value will typically be extracted from the `Content-Type` MIME header field. + name: email.attachments.file.mime_type + type: keyword +- description: |- + The MIME media type of the attachment. + This value will typically be extracted from the `Content-Type` MIME header field. + name: email.attachments.file.mime_type + type: keyword +- description: Name of the attachment file including the file extension. + name: email.attachments.file.name + type: keyword +- description: The direction of the message based on the sending and receiving domains. + name: email.direction + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + name: email.message_id + type: wildcard +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/field.yml b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/field.yml new file mode 100755 index 0000000000..5d10a6e663 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/fields/field.yml @@ -0,0 +1,39 @@ +- name: mimecast + type: group + fields: + - name: result + type: keyword + description: The result of the attachment analysis - clean, malicious, unknown, or timeout. + - name: senderAddress + type: keyword + description: The sender of the attachment. + - name: fileName + type: keyword + description: The file name of the original attachment. + - name: actionTriggered + type: keyword + description: The action triggered for the attachment. + - name: route + type: keyword + description: The route of the original email containing the attachment, either - inbound, outbound, internal, or external. + - name: details + type: keyword + description: Detailed output of the attachment sandbox processing. + - name: recipientAddress + type: keyword + description: The address of the user that received the attachment. + - name: fileType + type: keyword + description: The file type of the attachment. + - name: subject + type: keyword + description: The subject of the email. + - name: fileHash + type: keyword + description: The hash of the attachment. + - name: messageId + type: keyword + description: The internet message id of the email. + - name: definition + type: keyword + description: The definition. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/manifest.yml b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/manifest.yml new file mode 100755 index 0000000000..d2edd46208 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/manifest.yml @@ -0,0 +1,77 @@ +title: "TTP Attachment Logs" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: TTP Attachment Logs + description: Collect TTP Attachment Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 5m + - name: api_url + type: text + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/ttp/attachment/get-logs + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-ttp-ap + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/sample_event.json b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/sample_event.json new file mode 100755 index 0000000000..d1f24d3fa3 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ap_logs/sample_event.json @@ -0,0 +1,76 @@ +{ + "@timestamp": "2021-11-24T11:54:27.000Z", + "agent": { + "ephemeral_id": "04641c23-428a-4181-9f85-c2533f734177", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.ttp_ap_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "extension": "pdf", + "hash": { + "sha256": "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + }, + "mime_type": "application/pdf", + "name": "Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf" + } + }, + "direction": "inbound", + "from": { + "address": [ + "\u003c\u003e" + ] + }, + "message_id": "\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\u003e", + "subject": "Test Files", + "to": { + "address": [ + "johndoe@emample.com" + ] + } + }, + "event": { + "action": "user_release_none", + "agent_id_status": "verified", + "created": "2021-11-24T11:54:27+0000", + "dataset": "mimecast.ttp_ap_logs", + "ingested": "2022-05-09T10:26:02Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 7 sec", + "result": "safe" + }, + "related": { + "hash": [ + "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + ] + }, + "rule": { + "name": "Inbound - Safe file with On-Demand Sandbox" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ap" + ] +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..b540773d61 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/agent/stream/httpjson.yml.hbs @@ -0,0 +1,50 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: +- set: + target: body.data + value: '[{"oldestFirst": false,"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.next_date]]"}]' + default: '[{"oldestFirst": false,"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-{{interval}}")) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json +- set: + target: header.x-mc-app-id + value: {{app_id}} +- set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' +- set: + target: header.x-mc-req-id + value: "[[uuid]]" +- set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/ttp/impersonation/get-logs:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true +response.decode_as: application/json +response.split: + target: body.data + split: + target: body.impersonationLogs +response.pagination: +- set: + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + fail_on_template_error: true +cursor: +next_date: + value: '[[.first_event.eventTime]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..63eb1c2720 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,103 @@ +--- +description: Pipeline for processing Mimecast ttp_ip_logs. +processors: + # Generic event/ecs fields we always want to populate. + - set: + field: ecs.version + value: "8.2.0" + - rename: + field: message + target_field: event.original + - json: + description: Parse 'message' JSON contents into a 'mimecast' object. + field: event.original + target_field: mimecast + - drop: + if: ctx?.mimecast?.eventTime == null + - date: + description: Use 'mimecast.eventTime' as the '@timestamp' + field: mimecast.eventTime + timezone: UTC + formats: + - yyyy-MM-dd'T'HH:mm:ssZ + ### + - rename: + field: mimecast.senderIpAddress + target_field: source.ip + ignore_missing: true + - append: + field: email.from.address + value: "{{{mimecast.senderAddress}}}" + if: "ctx?.mimecast?.senderAddress != null" + ignore_failure: true + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.action + target_field: event.action + ignore_missing: true + - rename: + field: mimecast.definition + target_field: rule.name + ignore_missing: true + - rename: + field: mimecast.id + target_field: event.id + ignore_missing: true + - append: + field: email.to.address + value: "{{{mimecast.recipientAddress}}}" + if: "ctx?.mimecast?.recipientAddress != null" + ignore_failure: true + - rename: + field: mimecast.messageId + target_field: email.message_id + ignore_missing: true + - rename: + field: mimecast.similarDomain + target_field: source.domain + ignore_missing: true + - set: + field: event.created + value: "{{mimecast.eventTime}}" + if: 'ctx?.mimecast?.eventTime != null' + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: 'ctx?.source?.ip != null' + - dissect: + field: email.from.address + pattern: "<%{email.from.address}>" + ignore_missing: true + ignore_failure: true + - dissect: + field: email.to.address + pattern: "<%{email.to.address}>" + ignore_missing: true + ignore_failure: true + - lowercase: + field: email.direction + ignore_missing: true + + ### Cleanup + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast.eventTime + - mimecast.senderAddress + - mimecast.recipientAddress + ignore_missing: true + - remove: + description: Remove 'event.original' if 'preserve_original_event' is not set. + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + +# Error handling +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/base-fields.yml new file mode 100755 index 0000000000..96b197da78 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.ttp_ip_logs +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/ecs.yml new file mode 100755 index 0000000000..0e46c52cd3 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/ecs.yml @@ -0,0 +1,64 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + name: email.message_id + type: wildcard +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/field.yml b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/field.yml new file mode 100755 index 0000000000..d283a05131 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/fields/field.yml @@ -0,0 +1,54 @@ +- name: mimecast + type: group + fields: + - name: hits + type: long + description: The number of identifiers that the message triggered. + - name: taggedMalicious + type: boolean + description: Whether the message was tagged as malicious. + - name: senderIpAddress + type: keyword + description: The source IP address of the message. + - name: senderAddress + type: keyword + description: The email address of the sender of the message. + - name: subject + type: keyword + description: The subject of the email. + - name: identifiers + type: keyword + description: The properties of the message that triggered the action - similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, and/or targeted_threat_dictionary. + - name: action + type: keyword + description: The action triggered by the email. + - name: definition + type: keyword + description: The name of the policy definition that triggered the log. + - name: id + type: keyword + description: A token that can be used to retrieve this log again. + - name: recipientAddress + type: keyword + description: The email address of the recipient of the email. + - name: taggedExternal + type: boolean + description: Whether the message was tagged as coming from an external address. + - name: messageId + type: keyword + description: The message-id of the identified message. + - name: impersonationResults + type: group + fields: + - name: impersonationDomainSource + type: keyword + description: Impersonation domain source. + - name: stringSimilarToDomain + type: keyword + description: The string that is suspiciously similar to a known value within the Mimecast configuration. Multiple triggers will be comma-separated. + - name: similarDomain + type: keyword + description: Similar domain. + - name: checkerResult + type: keyword + description: Result checker. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/manifest.yml b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/manifest.yml new file mode 100755 index 0000000000..4f415213bd --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/manifest.yml @@ -0,0 +1,77 @@ +title: "TTP Impersonation Mimecast Logs" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: TTP Impersonation events + description: Collect TTP Impersonation Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 5m + - name: api_url + type: text + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/ttp/impersonation/get-logs + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-ttp-ip + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/sample_event.json b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/sample_event.json new file mode 100755 index 0000000000..0e2be3fbdf --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_ip_logs/sample_event.json @@ -0,0 +1,81 @@ +{ + "@timestamp": "2021-11-12T15:27:04.000Z", + "agent": { + "ephemeral_id": "e8d74ee7-38ba-4ce5-ae3a-035bfeb01d97", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.ttp_ip_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "message_id": "\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\u003e", + "subject": "Don't read, just fill out!", + "to": { + "address": [ + "johndoe@example.com" + ] + } + }, + "event": { + "action": "none", + "agent_id_status": "verified", + "created": "2021-11-12T15:27:04+0000", + "dataset": "mimecast.ttp_ip_logs", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", + "ingested": "2022-05-09T10:26:50Z", + "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "hits": 1, + "identifiers": [ + "internal_user_name" + ], + "impersonationResults": [ + { + "checkerResult": "hit", + "impersonationDomainSource": "internal_user_name", + "similarDomain": "John Doe \u003cjohndoe_cdw@example.com\u003e", + "stringSimilarToDomain": "John Doe" + } + ], + "taggedExternal": false, + "taggedMalicious": true + }, + "related": { + "ip": [ + "8.8.8.8" + ] + }, + "rule": { + "name": "IP - 1 hit (Tag email)" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ip" + ] +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/agent/stream/httpjson.yml.hbs b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..f3648885d6 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/agent/stream/httpjson.yml.hbs @@ -0,0 +1,50 @@ +config_version: "2" +interval: {{interval}} +request.url: {{api_url}} +request.method: "POST" +request.transforms: +- set: + target: body.data + value: '[{"oldestFirst": false,"scanResult": "all","route":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.next_date]]"}]' + default: '[{"oldestFirst": false,"scanResult": "all","route":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-{{interval}}")) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json +- set: + target: header.x-mc-app-id + value: {{app_id}} +- set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' +- set: + target: header.x-mc-req-id + value: "[[uuid]]" +- set: + target: header.Authorization + value: 'MC {{access_key}}:[[hmacBase64 "sha1" (base64Decode "{{secret_key}}") (sprintf "%s:%s:/api/ttp/url/get-logs:{{app_key}}" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]]' + fail_on_template_error: true +response.decode_as: application/json +response.split: + target: body.data + split: + target: body.clickLogs +response.pagination: +- set: + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + fail_on_template_error: true +cursor: + next_date: + value: '[[.first_event.date]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..b0e2a979de --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,108 @@ +--- +description: Pipeline for processing Mimecast ttp_url_logs. +processors: + # Generic event/ecs fields we always want to populate. + - set: + field: ecs.version + value: "8.2.0" + - rename: + field: message + target_field: event.original + - json: + description: Parse 'message' JSON contents into a 'mimecast' object. + field: event.original + target_field: mimecast + - drop: + if: ctx?.mimecast?.date == null + - date: + description: Use 'mimecast.date' as the '@timestamp' + field: mimecast.date + timezone: UTC + formats: + - yyyy-MM-dd'T'HH:mm:ssZ + + ### + - rename: + field: mimecast.url + target_field: url.original + ignore_missing: true + - rename: + field: mimecast.userAwarenessAction + target_field: event.action + ignore_missing: true + - rename: + field: mimecast.route + target_field: email.direction + ignore_missing: true + - rename: + field: mimecast.ttpDefinition + target_field: rule.name + ignore_missing: true + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.messageId + target_field: email.message_id + ignore_missing: true + - set: + field: email.from.address + value: ["{{{mimecast.fromUserEmailAddress}}}"] + if: "ctx?.mimecast?.fromUserEmailAddress != null" + - set: + field: email.to.address + value: ["{{{mimecast.userEmailAddress}}}"] + if: "ctx?.mimecast?.userEmailAddress != null" + - set: + field: user.email + value: ["{{{mimecast.userEmailAddress}}}"] + if: "ctx?.mimecast?.userEmailAddress != null" + - append: + field: related.user + value: "{{{mimecast.userEmailAddress}}}" + allow_duplicates: false + if: 'ctx?.mimecast?.userEmailAddress !=null' + ignore_failure: true + - rename: + field: mimecast.sendingIp + target_field: source.ip + ignore_missing: true + - set: + field: event.created + value: "{{mimecast.date}}" + if: 'ctx?.mimecast?.date != null' + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: 'ctx?.source?.ip !=null' + - dissect: + field: email.from.address + pattern: "<%{email.from.address}>" + ignore_missing: true + ignore_failure: true + - dissect: + field: email.to.address + pattern: "<%{email.to.address}>" + ignore_missing: true + ignore_failure: true + ### Cleanup + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast.date + - mimecast.fromUserEmailAddress + - mimecast.userEmailAddress + ignore_missing: true + - remove: + description: Remove 'event.original' if 'preserve_original_event' is not set. + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + +# Error handling +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/agent.yml b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/base-fields.yml b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/base-fields.yml new file mode 100755 index 0000000000..29bf273c1b --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mimecast +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mimecast.ttp_url_logs +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/ecs.yml b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/ecs.yml new file mode 100755 index 0000000000..dbfa05f4d5 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/ecs.yml @@ -0,0 +1,74 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The direction of the message based on the sending and receiving domains. + name: email.direction + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + name: email.message_id + type: wildcard +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: User email address. + name: user.email + type: keyword diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/field.yml b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/field.yml new file mode 100755 index 0000000000..b2cd2e06f6 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/fields/field.yml @@ -0,0 +1,54 @@ +- name: mimecast + type: group + fields: + - name: category + type: keyword + description: The category of the URL clicked. + - name: userEmailAddress + type: keyword + description: The email address of the user who clicked the link. + - name: url + type: keyword + description: The url clicked. + - name: userAwarenessAction + type: keyword + description: The action taken by the user if user awareness was applied. + - name: route + type: keyword + description: The route of the email that contained the link. + - name: adminOverride + type: keyword + description: The action defined by the administrator for the URL. + - name: scanResult + type: keyword + description: The result of the URL scan. + - name: action + type: keyword + description: The action that was taken for the click. + - name: ttpDefinition + type: keyword + description: The description of the definition that triggered the URL to be rewritten by Mimecast. + - name: userOverride + type: keyword + description: The action requested by the user. + - name: emailPartsDescription + type: keyword + description: An array of components of the messge where the URL was found. + - name: subject + type: keyword + description: The subject of the email. + - name: messageId + type: keyword + description: The message-id value of the message. + - name: actions + type: keyword + description: The actions that were taken. + - name: creationMethod + type: keyword + description: The description how event occurred. + - name: fromUserEmailAddress + type: keyword + description: The email of user who triggers the event. + - name: sendingIP + type: keyword + description: The IP of user who triggers the event. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/manifest.yml b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/manifest.yml new file mode 100755 index 0000000000..4de8b587cd --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/manifest.yml @@ -0,0 +1,77 @@ +title: "TTP URL Logs" +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: TTP URL Logs + description: Collect TTP URL Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: false + default: 5m + - name: api_url + type: text + title: API URL + description: API Url. + multi: false + required: true + show_user: false + default: https://eu-api.mimecast.com/api/ttp/url/get-logs + - name: app_key + type: password + title: Application Key + description: Specifies application key for user. + multi: false + required: true + show_user: true + - name: app_id + type: password + title: Application ID + description: Set the Application Id. + multi: false + required: true + show_user: true + - name: access_key + type: password + title: Access Key + description: Set Access Key. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Set Secret Key. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-ttp-url + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/0.0.12/data_stream/ttp_url_logs/sample_event.json b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/sample_event.json new file mode 100755 index 0000000000..69197d55c8 --- /dev/null +++ b/packages/mimecast/0.0.12/data_stream/ttp_url_logs/sample_event.json @@ -0,0 +1,88 @@ +{ + "@timestamp": "2021-11-10T03:49:53.000Z", + "agent": { + "ephemeral_id": "fbfd6110-bdd7-4230-b13b-4768be6ad132", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.ttp_url_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "googlealerts-noreply@google.com" + ] + }, + "message_id": "\u003c000000000000a02a0a05d0671c06@google.com\u003e", + "subject": "Google Alert - china", + "to": { + "address": [ + "johndoe@example.com" + ] + } + }, + "event": { + "action": "Continue", + "agent_id_status": "verified", + "created": "2021-11-10T03:49:53+0000", + "dataset": "mimecast.ttp_url_logs", + "ingested": "2022-05-09T10:27:40Z", + "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "action": "allow", + "actions": "Allow", + "adminOverride": "N/A", + "category": "Search Engines \u0026 Portals", + "creationMethod": "User Click", + "emailPartsDescription": [ + "Body" + ], + "scanResult": "clean", + "userOverride": "None" + }, + "related": { + "ip": [ + "8.8.8.8" + ], + "user": [ + "johndoe@example.com" + ] + }, + "rule": { + "name": "Inbound URL 'Aggressive'" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-url" + ], + "url": { + "original": "https://www.google.co.za/alerts/share?hl=en\u0026gl=US\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\u0026ss=tw\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg" + }, + "user": { + "email": [ + "johndoe@example.com" + ] + } +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/docs/README.md b/packages/mimecast/0.0.12/docs/README.md new file mode 100755 index 0000000000..c67fac468b --- /dev/null +++ b/packages/mimecast/0.0.12/docs/README.md @@ -0,0 +1,1314 @@ +# Mimecast Integration + +The Mimecast integration collects events from the Mimecast API. + +## Configuration + +Authorization parameters for the Mimecast API (`Application Key`, `Application +ID`, `Access Key`, and `Secret Key`) should be provided by a Mimecast +representative for this integration. Under `Advanced options` you can set the +time interval between two API requests as well as the API URL. A Mimecast +representative should also be able to give you this information in case you need +to change the defaults. + +Note that rate limit quotas may require you to set up different credentials for +the different available log types. + +## Logs + +### Audit Events + +This is the `mimecast.audit_events` dataset. These logs contain Mimecast audit +events with the following details: audit type, event category, and detailed +information about the event. More information about these logs [here] +(https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-audit-events/). + +An example event for `audit_events` looks as following: + +```json +{ + "@timestamp": "2021-11-16T12:01:37.000Z", + "agent": { + "ephemeral_id": "a52ffcd4-9b76-4efd-bc6d-4afebe1b20d6", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.audit_events", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "search-action", + "agent_id_status": "verified", + "created": "2022-05-09T10:21:38.573Z", + "dataset": "mimecast.audit_events", + "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", + "ingested": "2022-05-09T10:21:39Z", + "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "category": "case_review_logs", + "eventInfo": "Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" + }, + "related": { + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-audit-events" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.origination_timestamp | The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. | date | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| mimecast.2FA | Info about two-factor authentication. | keyword | +| mimecast.application | The Mimecast unique id of the event. | keyword | +| mimecast.category | The category of the event. | keyword | +| mimecast.email.address | Email address from event info. | keyword | +| mimecast.email.metadata | The email meta data from audit info. | keyword | +| mimecast.eventInfo | The detailed event information. | keyword | +| mimecast.method | Method which triggers audit events. | keyword | +| mimecast.remote | Info about remote IP trying to access the API. | keyword | +| mimecast.remote_ip | Remote IP. | ip | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +### DLP Logs + +This is the `mimecast.dlp_logs` dataset. These logs contain information about +messages that triggered a DLP or Content Examination policy. More information +about these logs [here] +(https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-dlp-logs/). + +An example event for `dlp` looks as following: + +```json +{ + "@timestamp": "2021-11-18T21:41:18.000Z", + "agent": { + "ephemeral_id": "0461fb9e-2359-4960-9036-461e4763582d", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.dlp_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "\u003c\u003e" + ] + }, + "message_id": "\u003c20211118214115.B346F10021D@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", + "to": { + "address": [ + "johndoe@example.com" + ] + } + }, + "event": { + "action": "notification", + "agent_id_status": "verified", + "created": "2021-11-18T21:41:18+0000", + "dataset": "mimecast.dlp_logs", + "ingested": "2022-05-09T10:22:29Z", + "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" + }, + "input": { + "type": "httpjson" + }, + "rule": { + "name": "Content Inspection - Watermark" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-dlp-logs" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.direction | The direction of the message based on the sending and receiving domains. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| rule.name | The name of the rule or signature generating the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | + + +### SIEM Logs + +This is the `mimecast.siem_logs` dataset. These logs contain information about +messages that contains MTA (message transfer agent) log – all inbound, +outbound, and internal messages. More about these logs +[here](https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/). + +An example event for `siem` looks as following: + +```json +{ + "@timestamp": "2021-11-12T12:15:46.000Z", + "agent": { + "ephemeral_id": "d683003b-9e59-4e3d-91fe-3b3411c5946f", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.siem_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "local_id": "fjihpfEgM_iRwemxhe3t_w", + "to": { + "address": "o365_service_account@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "created": "2021-11-12T12:15:46+0000", + "dataset": "mimecast.siem_logs", + "ingested": "2022-05-09T10:23:21Z", + "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "outcome": "unknown" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "RcptActType": "Jnl", + "RcptHdrType": "Unknown", + "acc": "ABC123", + "log_type": "jrnl" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-siem-logs" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.attachments.file.extension | Attachment file extension, excluding the leading dot. | keyword | +| email.attachments.file.hash.md5 | MD5 hash. | keyword | +| email.attachments.file.hash.sha1 | SHA1 hash. | keyword | +| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | +| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | +| email.attachments.file.size | Attachment file size in bytes. | long | +| email.direction | The direction of the message based on the sending and receiving domains. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| mimecast.AttCnt | The number of attachments on the email. | long | +| mimecast.AttNames | The filenames of all attachments on the email. | keyword | +| mimecast.Attempt | The count of attempts that the Mimecast MTA has made to deliver the email. | long | +| mimecast.CustomName | The message has matched a custom name. | keyword | +| mimecast.CustomThreatDictionary | The content of the email was detected to contain words in a custom threat dictionary. | keyword | +| mimecast.CustomerIP | The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. | keyword | +| mimecast.Hits | Number of items flagged for the message. | keyword | +| mimecast.IPInternalName | For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detected to be from an internal user name. | keyword | +| mimecast.IPNewDomain | For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detected to be from a new domain. | keyword | +| mimecast.IPReplyMismatch | For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detetced to have a mismatch in the reply to address. | keyword | +| mimecast.IPSimilarDomain | For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain. | keyword | +| mimecast.IPThreadDict | For emails subject to Targeted Threat Protection - Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. | keyword | +| mimecast.InternalName | The email was detected to be from an internal user name. | keyword | +| mimecast.Latency | The time in milliseconds that the delivery attempt took. | long | +| mimecast.MimecastIP | The source IP is one of the Mimecast' IPs e.g. Mimecast Personal Portal. | keyword | +| mimecast.MsgId | The internet message id of the email. | keyword | +| mimecast.MsgSize | The total size of the email. | long | +| mimecast.RcptActType | Action after reception. | keyword | +| mimecast.RcptHdrType | Type of the receipt header. | keyword | +| mimecast.ReceiptAck | The receipt acknowledgment message received by Mimecast from the receiving mail server. | keyword | +| mimecast.ReplyMismatch | The reply address does not correspond to the senders address. | keyword | +| mimecast.ScanResultInfo | The reason that the click was blocked. | keyword | +| mimecast.SenderDomainInternal | The sender domain is a registered internal domain. | keyword | +| mimecast.SimilarCustomExternalDomain | The senders domain is similar to a custom external domain list. | keyword | +| mimecast.SimilarInternalDomain | The senders domain is similar to a registered internal domain. | keyword | +| mimecast.SimilarMimecastExternalDomain | The senders domain is similar to a Mimecast managed list of domains. | keyword | +| mimecast.Snt | The amount of data in bytes that were delivered. | long | +| mimecast.SpamInfo | Information from Mimecast Spam scanners for messages found to be Spam. | keyword | +| mimecast.SpamLimit | The Spam limit defined for the given sender and recipient. | long | +| mimecast.SpamProcessingDetail | The Spam processing details for DKIM, SPF, DMARC. | keyword | +| mimecast.SpamScore | The Spam score the email was given. | long | +| mimecast.Subject | The subject of the email, limited to 150 characters. | keyword | +| mimecast.TaggedExternal | The message has been tagged as originating from a external source. | keyword | +| mimecast.TaggedMalicious | The message has been tagged as malicious. | keyword | +| mimecast.ThreatDictionary | The content of the email was detected to contain words in the Mimecast threat dictionary. | keyword | +| mimecast.UrlCategory | The category of the URL that was clicked. | keyword | +| mimecast.Virus | The name of the virus found on the email, if applicable. | keyword | +| mimecast.acc | The Mimecast account code for your account. | keyword | +| mimecast.credentialTheft | The info about credential theft. | keyword | +| mimecast.log_type | String to get type of SIEM log. | keyword | +| mimecast.msgid | The internet message id of the email. | keyword | +| mimecast.urlCategory | The category of the URL that was clicked. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| user.email | User email address. | keyword | + + +### Threat Intel Feed Malware: Customer + +This is the `mimecast.threat_intel_malware_customer` dataset. These logs contain +information about messages that return identified malware threats at a customer +level. More about these logs +[here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). + +An example event for `threat_intel_malware_customer` looks as following: + +```json +{ + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "11e300ff-bc6a-4674-9452-d4fb167b7d59", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_customer", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-05-09T10:24:11.849Z", + "dataset": "mimecast.threat_intel_malware_customer", + "ingested": "2022-05-09T10:24:12Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" + }, + "related": { + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-customer", + "malicious-activity" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + } + }, + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", + "type": "file" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| mimecast.created | When the indicator was last created. | date | +| mimecast.hashtype | The hash type. | keyword | +| mimecast.id | The ID of the indicator. | keyword | +| mimecast.labels | The labels related to the indicator. | keyword | +| mimecast.log_type | String to get type of Threat intel feed. | keyword | +| mimecast.modified | When the indicator was last modified. | date | +| mimecast.name | Name of the file. | keyword | +| mimecast.pattern | The pattern. | keyword | +| mimecast.relationship_type | Type of the relationship. | keyword | +| mimecast.source_ref | Source of the reference. | keyword | +| mimecast.target_ref | Reference target. | keyword | +| mimecast.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | +| mimecast.valid_from | The valid from date. | date | +| mimecast.value | The value of the indicator. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | + + +### Threat Intel Feed Malware: Grid + +This is the `mimecast.threat_intel_malware_grid` dataset. These logs contain +information about messages that return identified malware threats at a regional +grid level. More about these logs +[here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). + +An example event for `threat_intel_malware_grid` looks as following: + +```json +{ + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "d4b2c0c8-5d78-4482-9e6b-4b5a6d55e652", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_grid", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-05-09T10:25:08.535Z", + "dataset": "mimecast.threat_intel_malware_grid", + "ingested": "2022-05-09T10:25:09Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" + }, + "related": { + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-grid", + "malicious-activity" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + } + }, + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", + "type": "file" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| mimecast.created | When the indicator was last created. | date | +| mimecast.hashtype | The hash type. | keyword | +| mimecast.id | The ID of the indicator. | keyword | +| mimecast.labels | The labels related to the indicator. | keyword | +| mimecast.log_type | String to get type of Threat intel feed. | keyword | +| mimecast.modified | When the indicator was last modified. | date | +| mimecast.name | Name of the file. | keyword | +| mimecast.pattern | The pattern. | keyword | +| mimecast.relationship_type | Type of the relationship. | keyword | +| mimecast.source_ref | Source of the reference. | keyword | +| mimecast.target_ref | Reference target. | keyword | +| mimecast.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | +| mimecast.valid_from | The valid from date. | date | +| mimecast.value | The value of the indicator. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | + + +### TTP Attachment Logs + +This is the `mimecast.ttp_ap_logs` dataset. These logs contain Mimecast TTP +attachment protection logs with the following details: result of attachment +analysis (if it is malicious or not etc.), date when file is released, sender +and recipient address, filename and type, action triggered for the attachment, +the route of the original email containing the attachment and details. Learn +more about these logs [here] +(https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-attachment-protection-logs/). + +An example event for `ttp_ap` looks as following: + +```json +{ + "@timestamp": "2021-11-24T11:54:27.000Z", + "agent": { + "ephemeral_id": "04641c23-428a-4181-9f85-c2533f734177", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.ttp_ap_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "extension": "pdf", + "hash": { + "sha256": "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + }, + "mime_type": "application/pdf", + "name": "Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf" + } + }, + "direction": "inbound", + "from": { + "address": [ + "\u003c\u003e" + ] + }, + "message_id": "\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\u003e", + "subject": "Test Files", + "to": { + "address": [ + "johndoe@emample.com" + ] + } + }, + "event": { + "action": "user_release_none", + "agent_id_status": "verified", + "created": "2021-11-24T11:54:27+0000", + "dataset": "mimecast.ttp_ap_logs", + "ingested": "2022-05-09T10:26:02Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 7 sec", + "result": "safe" + }, + "related": { + "hash": [ + "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + ] + }, + "rule": { + "name": "Inbound - Safe file with On-Demand Sandbox" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ap" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.attachments.file.extension | Attachment file extension, excluding the leading dot. | keyword | +| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | +| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | +| email.direction | The direction of the message based on the sending and receiving domains. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| mimecast.actionTriggered | The action triggered for the attachment. | keyword | +| mimecast.definition | The definition. | keyword | +| mimecast.details | Detailed output of the attachment sandbox processing. | keyword | +| mimecast.fileHash | The hash of the attachment. | keyword | +| mimecast.fileName | The file name of the original attachment. | keyword | +| mimecast.fileType | The file type of the attachment. | keyword | +| mimecast.messageId | The internet message id of the email. | keyword | +| mimecast.recipientAddress | The address of the user that received the attachment. | keyword | +| mimecast.result | The result of the attachment analysis - clean, malicious, unknown, or timeout. | keyword | +| mimecast.route | The route of the original email containing the attachment, either - inbound, outbound, internal, or external. | keyword | +| mimecast.senderAddress | The sender of the attachment. | keyword | +| mimecast.subject | The subject of the email. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | + + +### TTP Impersonation Logs + +This is the `mimecast.ttp_ip_logs` dataset. These logs contain information about +messages containing information flagged by an Impersonation Protection +configuration. Learn more about these logs [here] +(https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-impersonation-protect-logs/). + +An example event for `ttp_ip` looks as following: + +```json +{ + "@timestamp": "2021-11-12T15:27:04.000Z", + "agent": { + "ephemeral_id": "e8d74ee7-38ba-4ce5-ae3a-035bfeb01d97", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.ttp_ip_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "message_id": "\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\u003e", + "subject": "Don't read, just fill out!", + "to": { + "address": [ + "johndoe@example.com" + ] + } + }, + "event": { + "action": "none", + "agent_id_status": "verified", + "created": "2021-11-12T15:27:04+0000", + "dataset": "mimecast.ttp_ip_logs", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", + "ingested": "2022-05-09T10:26:50Z", + "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "hits": 1, + "identifiers": [ + "internal_user_name" + ], + "impersonationResults": [ + { + "checkerResult": "hit", + "impersonationDomainSource": "internal_user_name", + "similarDomain": "John Doe \u003cjohndoe_cdw@example.com\u003e", + "stringSimilarToDomain": "John Doe" + } + ], + "taggedExternal": false, + "taggedMalicious": true + }, + "related": { + "ip": [ + "8.8.8.8" + ] + }, + "rule": { + "name": "IP - 1 hit (Tag email)" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ip" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| mimecast.action | The action triggered by the email. | keyword | +| mimecast.definition | The name of the policy definition that triggered the log. | keyword | +| mimecast.hits | The number of identifiers that the message triggered. | long | +| mimecast.id | A token that can be used to retrieve this log again. | keyword | +| mimecast.identifiers | The properties of the message that triggered the action - similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, and/or targeted_threat_dictionary. | keyword | +| mimecast.impersonationResults.checkerResult | Result checker. | keyword | +| mimecast.impersonationResults.impersonationDomainSource | Impersonation domain source. | keyword | +| mimecast.impersonationResults.similarDomain | Similar domain. | keyword | +| mimecast.impersonationResults.stringSimilarToDomain | The string that is suspiciously similar to a known value within the Mimecast configuration. Multiple triggers will be comma-separated. | keyword | +| mimecast.messageId | The message-id of the identified message. | keyword | +| mimecast.recipientAddress | The email address of the recipient of the email. | keyword | +| mimecast.senderAddress | The email address of the sender of the message. | keyword | +| mimecast.senderIpAddress | The source IP address of the message. | keyword | +| mimecast.subject | The subject of the email. | keyword | +| mimecast.taggedExternal | Whether the message was tagged as coming from an external address. | boolean | +| mimecast.taggedMalicious | Whether the message was tagged as malicious. | boolean | +| related.ip | All of the IPs seen on your event. | ip | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | + + +### TTP URL Logs + +This is the `mimecast.ttp_url_logs` dataset. These logs contain Mimecast TTP +attachment protection logs with the following details: the category of the URL +clicked, the email address of the user who clicked the link, the url clicked, +the action taken by the user if user awareness was applied, the route of the +email that contained the link, the action defined by the administrator for the +URL, the date that the URL was clicked, url scan result, the action that was +taken for the click, the description of the definition that triggered the URL to +be rewritten by Mimecast, the action requested by the user, an array of +components of the message where the URL was found. More about these logs +[here](https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-url-logs/). + +An example event for `ttp_url` looks as following: + +```json +{ + "@timestamp": "2021-11-10T03:49:53.000Z", + "agent": { + "ephemeral_id": "fbfd6110-bdd7-4230-b13b-4768be6ad132", + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "mimecast.ttp_url_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2f28c80b-ffde-4202-a4bd-938a8ce174ad", + "snapshot": false, + "version": "8.2.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "googlealerts-noreply@google.com" + ] + }, + "message_id": "\u003c000000000000a02a0a05d0671c06@google.com\u003e", + "subject": "Google Alert - china", + "to": { + "address": [ + "johndoe@example.com" + ] + } + }, + "event": { + "action": "Continue", + "agent_id_status": "verified", + "created": "2021-11-10T03:49:53+0000", + "dataset": "mimecast.ttp_url_logs", + "ingested": "2022-05-09T10:27:40Z", + "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "action": "allow", + "actions": "Allow", + "adminOverride": "N/A", + "category": "Search Engines \u0026 Portals", + "creationMethod": "User Click", + "emailPartsDescription": [ + "Body" + ], + "scanResult": "clean", + "userOverride": "None" + }, + "related": { + "ip": [ + "8.8.8.8" + ], + "user": [ + "johndoe@example.com" + ] + }, + "rule": { + "name": "Inbound URL 'Aggressive'" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-url" + ], + "url": { + "original": "https://www.google.co.za/alerts/share?hl=en\u0026gl=US\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\u0026ss=tw\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg" + }, + "user": { + "email": [ + "johndoe@example.com" + ] + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.direction | The direction of the message based on the sending and receiving domains. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| mimecast.action | The action that was taken for the click. | keyword | +| mimecast.actions | The actions that were taken. | keyword | +| mimecast.adminOverride | The action defined by the administrator for the URL. | keyword | +| mimecast.category | The category of the URL clicked. | keyword | +| mimecast.creationMethod | The description how event occurred. | keyword | +| mimecast.emailPartsDescription | An array of components of the messge where the URL was found. | keyword | +| mimecast.fromUserEmailAddress | The email of user who triggers the event. | keyword | +| mimecast.messageId | The message-id value of the message. | keyword | +| mimecast.route | The route of the email that contained the link. | keyword | +| mimecast.scanResult | The result of the URL scan. | keyword | +| mimecast.sendingIP | The IP of user who triggers the event. | keyword | +| mimecast.subject | The subject of the email. | keyword | +| mimecast.ttpDefinition | The description of the definition that triggered the URL to be rewritten by Mimecast. | keyword | +| mimecast.url | The url clicked. | keyword | +| mimecast.userAwarenessAction | The action taken by the user if user awareness was applied. | keyword | +| mimecast.userEmailAddress | The email address of the user who clicked the link. | keyword | +| mimecast.userOverride | The action requested by the user. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| user.email | User email address. | keyword | + diff --git a/packages/mimecast/0.0.12/img/mimecast.png b/packages/mimecast/0.0.12/img/mimecast.png new file mode 100755 index 0000000000..5f90ad2f48 Binary files /dev/null and b/packages/mimecast/0.0.12/img/mimecast.png differ diff --git a/packages/mimecast/0.0.12/img/mimecast.svg b/packages/mimecast/0.0.12/img/mimecast.svg new file mode 100755 index 0000000000..dc7aae3883 --- /dev/null +++ b/packages/mimecast/0.0.12/img/mimecast.svg @@ -0,0 +1,15 @@ + + + + + + + + diff --git a/packages/mimecast/0.0.12/img/sample-logo.svg b/packages/mimecast/0.0.12/img/sample-logo.svg new file mode 100755 index 0000000000..6268dd88f3 --- /dev/null +++ b/packages/mimecast/0.0.12/img/sample-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/mimecast/0.0.12/img/sample-screenshot.png b/packages/mimecast/0.0.12/img/sample-screenshot.png new file mode 100755 index 0000000000..d7a56a3ecc Binary files /dev/null and b/packages/mimecast/0.0.12/img/sample-screenshot.png differ diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-042d5620-5411-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-042d5620-5411-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..33c5e416b8 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-042d5620-5411-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.dlp_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.dlp_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-47e0f438-1420-40d4-a779-1845993eb7ea\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"47e0f438-1420-40d4-a779-1845993eb7ea\":{\"columnOrder\":[\"031fd53e-b3ed-422e-b50a-6da93afe2752\",\"6fb9dc4a-1056-4e74-a4e4-a469941b6efa\"],\"columns\":{\"031fd53e-b3ed-422e-b50a-6da93afe2752\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1d\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"6fb9dc4a-1056-4e74-a4e4-a469941b6efa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.dlp_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.dlp_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"mimecast.dlp_logs\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"6fb9dc4a-1056-4e74-a4e4-a469941b6efa\"],\"layerId\":\"47e0f438-1420-40d4-a779-1845993eb7ea\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"031fd53e-b3ed-422e-b50a-6da93afe2752\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"shouldTruncate\":true,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"15971769-d6c7-4cbd-a65b-41773cac89f9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15971769-d6c7-4cbd-a65b-41773cac89f9\",\"title\":\"DLP Logs Over Time\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0fff056b-7794-4070-8170-3657002b9253\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0fff056b-7794-4070-8170-3657002b9253\":{\"columnOrder\":[\"e4eb146d-7546-4a24-ae35-eb2824b345a2\",\"c9c6ab54-8f0d-49b4-bf62-33f88decd52c\"],\"columns\":{\"c9c6ab54-8f0d-49b4-bf62-33f88decd52c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e4eb146d-7546-4a24-ae35-eb2824b345a2\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Actions\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c9c6ab54-8f0d-49b4-bf62-33f88decd52c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.dlp_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.dlp_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"e4eb146d-7546-4a24-ae35-eb2824b345a2\"},{\"columnId\":\"c9c6ab54-8f0d-49b4-bf62-33f88decd52c\"}],\"layerId\":\"0fff056b-7794-4070-8170-3657002b9253\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"55a3cb4f-41e1-48a3-b3bb-e4b296503246\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"55a3cb4f-41e1-48a3-b3bb-e4b296503246\",\"title\":\"DLP Logs - Action taken on message\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-854e5002-cd2e-466a-ba28-04e926663f66\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"854e5002-cd2e-466a-ba28-04e926663f66\":{\"columnOrder\":[\"5745adf7-04d2-4886-8dad-897d57705772\",\"b9e528af-178d-488b-8997-fbaf60f2e4aa\"],\"columns\":{\"5745adf7-04d2-4886-8dad-897d57705772\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Policies\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9e528af-178d-488b-8997-fbaf60f2e4aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"b9e528af-178d-488b-8997-fbaf60f2e4aa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.dlp_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.dlp_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"5745adf7-04d2-4886-8dad-897d57705772\"},{\"columnId\":\"b9e528af-178d-488b-8997-fbaf60f2e4aa\"}],\"layerId\":\"854e5002-cd2e-466a-ba28-04e926663f66\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"13693574-6de9-4ccc-afb9-cc1d99dd83b8\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"13693574-6de9-4ccc-afb9-cc1d99dd83b8\",\"title\":\"DLP Logs - Policies triggered\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f5b8670-33ce-47e6-ac1f-b29f55afaf24\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f5b8670-33ce-47e6-ac1f-b29f55afaf24\":{\"columnOrder\":[\"7f11f183-c159-43db-8b95-cbb8fd2d8fd7\",\"0033ecfa-a5f3-4828-9fd8-ae82caf7c8f1\"],\"columns\":{\"0033ecfa-a5f3-4828-9fd8-ae82caf7c8f1\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7f11f183-c159-43db-8b95-cbb8fd2d8fd7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Senders\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0033ecfa-a5f3-4828-9fd8-ae82caf7c8f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"email.from.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.dlp_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.dlp_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7f11f183-c159-43db-8b95-cbb8fd2d8fd7\",\"isTransposed\":false},{\"columnId\":\"0033ecfa-a5f3-4828-9fd8-ae82caf7c8f1\",\"isTransposed\":false}],\"layerId\":\"0f5b8670-33ce-47e6-ac1f-b29f55afaf24\",\"layerType\":\"data\",\"sorting\":{\"columnId\":\"0033ecfa-a5f3-4828-9fd8-ae82caf7c8f1\",\"direction\":\"desc\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"4a088ba2-68ed-418a-b167-7db8a7c592c2\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"4a088ba2-68ed-418a-b167-7db8a7c592c2\",\"title\":\"DLP Logs - Senders that triggered DLP Policies\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] DLP Logs Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-042d5620-5411-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "15971769-d6c7-4cbd-a65b-41773cac89f9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "15971769-d6c7-4cbd-a65b-41773cac89f9:indexpattern-datasource-layer-47e0f438-1420-40d4-a779-1845993eb7ea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "15971769-d6c7-4cbd-a65b-41773cac89f9:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55a3cb4f-41e1-48a3-b3bb-e4b296503246:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55a3cb4f-41e1-48a3-b3bb-e4b296503246:indexpattern-datasource-layer-0fff056b-7794-4070-8170-3657002b9253", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55a3cb4f-41e1-48a3-b3bb-e4b296503246:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13693574-6de9-4ccc-afb9-cc1d99dd83b8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13693574-6de9-4ccc-afb9-cc1d99dd83b8:indexpattern-datasource-layer-854e5002-cd2e-466a-ba28-04e926663f66", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13693574-6de9-4ccc-afb9-cc1d99dd83b8:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a088ba2-68ed-418a-b167-7db8a7c592c2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a088ba2-68ed-418a-b167-7db8a7c592c2:indexpattern-datasource-layer-0f5b8670-33ce-47e6-ac1f-b29f55afaf24", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a088ba2-68ed-418a-b167-7db8a7c592c2:filter-index-pattern-0", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-0ebd21e0-5422-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-0ebd21e0-5422-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..b560a62e8c --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-0ebd21e0-5422-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_customer\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_customer\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-399531fb-a3b2-4881-aa91-9b3f9e7d34e7\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"399531fb-a3b2-4881-aa91-9b3f9e7d34e7\":{\"columnOrder\":[\"d17db96e-f800-4bb6-ad48-2f10d7c1fc34\",\"9ba4c455-c64a-4ce6-8d0e-a17e79390bd3\"],\"columns\":{\"9ba4c455-c64a-4ce6-8d0e-a17e79390bd3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d17db96e-f800-4bb6-ad48-2f10d7c1fc34\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1d\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_customer\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_customer\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"9ba4c455-c64a-4ce6-8d0e-a17e79390bd3\"],\"layerId\":\"399531fb-a3b2-4881-aa91-9b3f9e7d34e7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"d17db96e-f800-4bb6-ad48-2f10d7c1fc34\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3e4a96ab-a404-4d1d-932d-0d6439e5d7c4\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3e4a96ab-a404-4d1d-932d-0d6439e5d7c4\",\"title\":\"[[Mimecast] Threat Intel Feed Targeted - over time\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-662c8260-62a4-4b11-8942-e7900c2fb1bb\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"662c8260-62a4-4b11-8942-e7900c2fb1bb\":{\"columnOrder\":[\"c9e207f1-1b64-4b4a-b6cb-ddc770733a8b\",\"7c2cbcee-2579-4971-a811-12bbb4815d9e\"],\"columns\":{\"7c2cbcee-2579-4971-a811-12bbb4815d9e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c9e207f1-1b64-4b4a-b6cb-ddc770733a8b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7c2cbcee-2579-4971-a811-12bbb4815d9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_customer\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_customer\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"c9e207f1-1b64-4b4a-b6cb-ddc770733a8b\"},{\"columnId\":\"7c2cbcee-2579-4971-a811-12bbb4815d9e\"}],\"layerId\":\"662c8260-62a4-4b11-8942-e7900c2fb1bb\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"044b5a8a-d8c5-4f7b-beae-7c612bd566ee\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"044b5a8a-d8c5-4f7b-beae-7c612bd566ee\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"43ba8519-c31d-4884-861e-34bae3c8a782\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"43ba8519-c31d-4884-861e-34bae3c8a782\",\"panelRefName\":\"panel_43ba8519-c31d-4884-861e-34bae3c8a782\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] Threat Intel Feed - Targeted Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-0ebd21e0-5422-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3e4a96ab-a404-4d1d-932d-0d6439e5d7c4:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3e4a96ab-a404-4d1d-932d-0d6439e5d7c4:indexpattern-datasource-layer-399531fb-a3b2-4881-aa91-9b3f9e7d34e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3e4a96ab-a404-4d1d-932d-0d6439e5d7c4:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "044b5a8a-d8c5-4f7b-beae-7c612bd566ee:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "044b5a8a-d8c5-4f7b-beae-7c612bd566ee:indexpattern-datasource-layer-662c8260-62a4-4b11-8942-e7900c2fb1bb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "044b5a8a-d8c5-4f7b-beae-7c612bd566ee:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "mimecast-bfb8e8f0-4084-11ec-b8da-95c3fba730d0", + "name": "43ba8519-c31d-4884-861e-34bae3c8a782:panel_43ba8519-c31d-4884-861e-34bae3c8a782", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-6c61f080-541f-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-6c61f080-541f-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..2bda8bb4ea --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-6c61f080-541f-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_grid\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_grid\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-482f4c89-6ca6-4520-826e-876c0256ae1b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"482f4c89-6ca6-4520-826e-876c0256ae1b\":{\"columnOrder\":[\"6035b29a-145b-48c5-9faf-0d33060bfda0\",\"26106801-2a8f-464c-9a0e-439bb734b16b\"],\"columns\":{\"26106801-2a8f-464c-9a0e-439bb734b16b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"6035b29a-145b-48c5-9faf-0d33060bfda0\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1d\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_grid\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_grid\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"26106801-2a8f-464c-9a0e-439bb734b16b\"],\"layerId\":\"482f4c89-6ca6-4520-826e-876c0256ae1b\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"6035b29a-145b-48c5-9faf-0d33060bfda0\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"174ad31a-31be-4bc0-b47a-a7692c6c02ae\",\"w\":22,\"x\":0,\"y\":0},\"panelIndex\":\"174ad31a-31be-4bc0-b47a-a7692c6c02ae\",\"title\":\"[Miemcast] Threat Intel Feed Regional- over time\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-231039d5-8ca6-4e3d-b6ce-304ff967550c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"231039d5-8ca6-4e3d-b6ce-304ff967550c\":{\"columnOrder\":[\"e751fb41-0eb0-444c-858b-b2ffafe590cf\",\"b642290b-f2dd-46a6-8641-ef25b6e6e794\"],\"columns\":{\"b642290b-f2dd-46a6-8641-ef25b6e6e794\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e751fb41-0eb0-444c-858b-b2ffafe590cf\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicator\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b642290b-f2dd-46a6-8641-ef25b6e6e794\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_grid\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_grid\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"e751fb41-0eb0-444c-858b-b2ffafe590cf\"},{\"columnId\":\"b642290b-f2dd-46a6-8641-ef25b6e6e794\"}],\"layerId\":\"231039d5-8ca6-4e3d-b6ce-304ff967550c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"c4041140-c71a-446f-bc68-3e3593202832\",\"w\":25,\"x\":22,\"y\":0},\"panelIndex\":\"c4041140-c71a-446f-bc68-3e3593202832\",\"title\":\"[Regional] Threat Intel Feed Regional - count by indicator\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":22,\"i\":\"44ba0d50-0c94-4053-8364-058f0c5a6916\",\"w\":47,\"x\":0,\"y\":16},\"panelIndex\":\"44ba0d50-0c94-4053-8364-058f0c5a6916\",\"panelRefName\":\"panel_44ba0d50-0c94-4053-8364-058f0c5a6916\",\"title\":\"[Mimecast] Threat Intel Feed Regional - Most recent logs\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] Threat Intel Feed - Regional Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-6c61f080-541f-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "174ad31a-31be-4bc0-b47a-a7692c6c02ae:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "174ad31a-31be-4bc0-b47a-a7692c6c02ae:indexpattern-datasource-layer-482f4c89-6ca6-4520-826e-876c0256ae1b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "174ad31a-31be-4bc0-b47a-a7692c6c02ae:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4041140-c71a-446f-bc68-3e3593202832:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4041140-c71a-446f-bc68-3e3593202832:indexpattern-datasource-layer-231039d5-8ca6-4e3d-b6ce-304ff967550c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4041140-c71a-446f-bc68-3e3593202832:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "mimecast-df42cb00-4084-11ec-b8da-95c3fba730d0", + "name": "44ba0d50-0c94-4053-8364-058f0c5a6916:panel_44ba0d50-0c94-4053-8364-058f0c5a6916", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-7790e470-541a-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-7790e470-541a-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..ea796cc6cb --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-7790e470-541a-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_url_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_url_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7a34769f-5338-4cf1-8611-76ee68762548\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7a34769f-5338-4cf1-8611-76ee68762548\":{\"columnOrder\":[\"93e854a1-a782-4a03-97b8-b4f8a98b931e\",\"a116654e-42ef-4dbf-9c3f-07dc0ab0eb15\",\"73bd76e9-d764-4c7c-bfb0-71205b4f7df5\"],\"columns\":{\"73bd76e9-d764-4c7c-bfb0-71205b4f7df5\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"93e854a1-a782-4a03-97b8-b4f8a98b931e\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of mimecast.scanResult\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"73bd76e9-d764-4c7c-bfb0-71205b4f7df5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"mimecast.scanResult\"},\"a116654e-42ef-4dbf-9c3f-07dc0ab0eb15\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1d\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_url_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_url_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"73bd76e9-d764-4c7c-bfb0-71205b4f7df5\"],\"layerId\":\"7a34769f-5338-4cf1-8611-76ee68762548\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"93e854a1-a782-4a03-97b8-b4f8a98b931e\",\"xAccessor\":\"a116654e-42ef-4dbf-9c3f-07dc0ab0eb15\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"23ab3e48-e6f2-4c70-a6f5-8dff355eeb73\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"23ab3e48-e6f2-4c70-a6f5-8dff355eeb73\",\"title\":\"Clean vs malicious over time\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-76a01545-a0d3-4529-9185-e99aa33aa198\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"76a01545-a0d3-4529-9185-e99aa33aa198\":{\"columnOrder\":[\"0f3030c5-e2c2-46b0-94d9-9fedf71bbedd\",\"1e318351-5ec1-484c-8a9f-dd79a8c26759\"],\"columns\":{\"0f3030c5-e2c2-46b0-94d9-9fedf71bbedd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"url\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1e318351-5ec1-484c-8a9f-dd79a8c26759\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"url.original\"},\"1e318351-5ec1-484c-8a9f-dd79a8c26759\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_url_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_url_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.scanResult\",\"negate\":false,\"params\":{\"query\":\"malicious\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.scanResult\":\"malicious\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"0f3030c5-e2c2-46b0-94d9-9fedf71bbedd\",\"isTransposed\":false},{\"columnId\":\"1e318351-5ec1-484c-8a9f-dd79a8c26759\",\"isTransposed\":false}],\"layerId\":\"76a01545-a0d3-4529-9185-e99aa33aa198\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a4201043-b285-4608-b169-4eae313b2b6c\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"a4201043-b285-4608-b169-4eae313b2b6c\",\"title\":\"Top malicious URLs\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2a0ae18b-3b74-4c61-8a14-3f87a634e8ba\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2a0ae18b-3b74-4c61-8a14-3f87a634e8ba\":{\"columnOrder\":[\"2b26e9ef-78d9-4173-97fa-ec7526af0773\",\"2782be47-0178-4935-ac5b-05c8a15a61f2\"],\"columns\":{\"2782be47-0178-4935-ac5b-05c8a15a61f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"2b26e9ef-78d9-4173-97fa-ec7526af0773\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2782be47-0178-4935-ac5b-05c8a15a61f2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"mimecast.category\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_url_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_url_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.scanResult\",\"negate\":false,\"params\":{\"query\":\"malicious\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.scanResult\":\"malicious\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"2b26e9ef-78d9-4173-97fa-ec7526af0773\"},{\"columnId\":\"2782be47-0178-4935-ac5b-05c8a15a61f2\"}],\"layerId\":\"2a0ae18b-3b74-4c61-8a14-3f87a634e8ba\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"23fe1e17-6ce1-4d4e-abb5-2fd095420475\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"23fe1e17-6ce1-4d4e-abb5-2fd095420475\",\"title\":\"Top URL categories\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"246c6a37-8605-4c92-8503-0fc545cef56f\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"246c6a37-8605-4c92-8503-0fc545cef56f\",\"panelRefName\":\"panel_246c6a37-8605-4c92-8503-0fc545cef56f\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] TTP URL Protect Logs", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-7790e470-541a-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23ab3e48-e6f2-4c70-a6f5-8dff355eeb73:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23ab3e48-e6f2-4c70-a6f5-8dff355eeb73:indexpattern-datasource-layer-7a34769f-5338-4cf1-8611-76ee68762548", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23ab3e48-e6f2-4c70-a6f5-8dff355eeb73:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a4201043-b285-4608-b169-4eae313b2b6c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a4201043-b285-4608-b169-4eae313b2b6c:indexpattern-datasource-layer-76a01545-a0d3-4529-9185-e99aa33aa198", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a4201043-b285-4608-b169-4eae313b2b6c:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a4201043-b285-4608-b169-4eae313b2b6c:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23fe1e17-6ce1-4d4e-abb5-2fd095420475:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23fe1e17-6ce1-4d4e-abb5-2fd095420475:indexpattern-datasource-layer-2a0ae18b-3b74-4c61-8a14-3f87a634e8ba", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23fe1e17-6ce1-4d4e-abb5-2fd095420475:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23fe1e17-6ce1-4d4e-abb5-2fd095420475:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "mimecast-fa36c5f0-3fef-11ec-8ace-9fcc35bfe253", + "name": "246c6a37-8605-4c92-8503-0fc545cef56f:panel_246c6a37-8605-4c92-8503-0fc545cef56f", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-87fba310-5413-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-87fba310-5413-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..34656e4b7c --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-87fba310-5413-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ap_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ap_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7fd2fb45-58d3-499c-8b39-a65a1d337c30\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7fd2fb45-58d3-499c-8b39-a65a1d337c30\":{\"columnOrder\":[\"4c2264ac-1102-43db-b405-02295ddba570\",\"29a6d63f-6b9e-42f5-a062-026e264b7905\"],\"columns\":{\"29a6d63f-6b9e-42f5-a062-026e264b7905\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4c2264ac-1102-43db-b405-02295ddba570\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1M\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ap_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ap_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.result\",\"negate\":false,\"params\":{\"query\":\"malicious\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.result\":\"malicious\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"29a6d63f-6b9e-42f5-a062-026e264b7905\"],\"layerId\":\"7fd2fb45-58d3-499c-8b39-a65a1d337c30\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4c2264ac-1102-43db-b405-02295ddba570\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0939e1a7-1ed7-41c8-8161-c82ee711824c\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"0939e1a7-1ed7-41c8-8161-c82ee711824c\",\"title\":\"TTP AP Logs- Threats (attachments deemed malicious) over time\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cc987f4b-7570-4117-a216-abb8b85d6a74\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cc987f4b-7570-4117-a216-abb8b85d6a74\":{\"columnOrder\":[\"68fb7687-4b9e-4269-9514-d871fd23acf6\",\"accab1cb-cf0c-4e6c-94c6-cc50396d0d58\"],\"columns\":{\"68fb7687-4b9e-4269-9514-d871fd23acf6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Malicious files extensions\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"accab1cb-cf0c-4e6c-94c6-cc50396d0d58\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"email.attachments.file.extension\"},\"accab1cb-cf0c-4e6c-94c6-cc50396d0d58\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ap_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ap_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.result\",\"negate\":false,\"params\":{\"query\":\"malicious\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.result\":\"malicious\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"68fb7687-4b9e-4269-9514-d871fd23acf6\",\"isTransposed\":false},{\"columnId\":\"accab1cb-cf0c-4e6c-94c6-cc50396d0d58\",\"isTransposed\":false}],\"layerId\":\"cc987f4b-7570-4117-a216-abb8b85d6a74\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"00f684a9-e6f1-4fba-8693-4ff07ec1d480\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"00f684a9-e6f1-4fba-8693-4ff07ec1d480\",\"title\":\"TTP AP Logs - Threat extension types\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-675873f9-5e65-4f7d-a731-1e5170a98700\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"675873f9-5e65-4f7d-a731-1e5170a98700\":{\"columnOrder\":[\"a413b181-ad13-4316-97ad-f563a54dd33d\",\"757fdc1e-7a28-470c-a730-e3b9a67ec253\"],\"columns\":{\"757fdc1e-7a28-470c-a730-e3b9a67ec253\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"a413b181-ad13-4316-97ad-f563a54dd33d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threats detected by recipients\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"757fdc1e-7a28-470c-a730-e3b9a67ec253\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"email.to.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ap_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ap_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.result\",\"negate\":false,\"params\":{\"query\":\"malicious\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.result\":\"malicious\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"a413b181-ad13-4316-97ad-f563a54dd33d\",\"isTransposed\":false},{\"columnId\":\"757fdc1e-7a28-470c-a730-e3b9a67ec253\",\"isTransposed\":false}],\"layerId\":\"675873f9-5e65-4f7d-a731-1e5170a98700\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8d907c29-dd68-4333-9e75-562f38046280\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"8d907c29-dd68-4333-9e75-562f38046280\",\"title\":\"TTP AP Logs - Threat detected by recipients\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-55f1e965-a3d5-4941-820e-46277d3f3cba\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"55f1e965-a3d5-4941-820e-46277d3f3cba\":{\"columnOrder\":[\"2984698c-20fb-4eca-975b-a42fcb4136a4\",\"839e65a6-2bfb-4b3a-aa86-044a081338bf\"],\"columns\":{\"2984698c-20fb-4eca-975b-a42fcb4136a4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Senders\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"839e65a6-2bfb-4b3a-aa86-044a081338bf\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"email.from.address\"},\"839e65a6-2bfb-4b3a-aa86-044a081338bf\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ap_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ap_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.result\",\"negate\":false,\"params\":{\"query\":\"malicious\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.result\":\"malicious\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"2984698c-20fb-4eca-975b-a42fcb4136a4\"},{\"columnId\":\"839e65a6-2bfb-4b3a-aa86-044a081338bf\"}],\"layerId\":\"55f1e965-a3d5-4941-820e-46277d3f3cba\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c3a2a774-3d5f-42a3-be87-694d768aaf92\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"c3a2a774-3d5f-42a3-be87-694d768aaf92\",\"title\":\"TTP AP Logs - Threat detected by senders\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3da0947d-f5e2-4c52-8577-d313a6256c84\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3da0947d-f5e2-4c52-8577-d313a6256c84\",\"panelRefName\":\"panel_3da0947d-f5e2-4c52-8577-d313a6256c84\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] TTP Attachment Protect Logs", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-87fba310-5413-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0939e1a7-1ed7-41c8-8161-c82ee711824c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0939e1a7-1ed7-41c8-8161-c82ee711824c:indexpattern-datasource-layer-7fd2fb45-58d3-499c-8b39-a65a1d337c30", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0939e1a7-1ed7-41c8-8161-c82ee711824c:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0939e1a7-1ed7-41c8-8161-c82ee711824c:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "00f684a9-e6f1-4fba-8693-4ff07ec1d480:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "00f684a9-e6f1-4fba-8693-4ff07ec1d480:indexpattern-datasource-layer-cc987f4b-7570-4117-a216-abb8b85d6a74", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "00f684a9-e6f1-4fba-8693-4ff07ec1d480:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "00f684a9-e6f1-4fba-8693-4ff07ec1d480:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d907c29-dd68-4333-9e75-562f38046280:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d907c29-dd68-4333-9e75-562f38046280:indexpattern-datasource-layer-675873f9-5e65-4f7d-a731-1e5170a98700", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d907c29-dd68-4333-9e75-562f38046280:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d907c29-dd68-4333-9e75-562f38046280:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3a2a774-3d5f-42a3-be87-694d768aaf92:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3a2a774-3d5f-42a3-be87-694d768aaf92:indexpattern-datasource-layer-55f1e965-a3d5-4941-820e-46277d3f3cba", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3a2a774-3d5f-42a3-be87-694d768aaf92:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3a2a774-3d5f-42a3-be87-694d768aaf92:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "mimecast-9749a210-3e4a-11ec-80fa-4dfb04910642", + "name": "3da0947d-f5e2-4c52-8577-d313a6256c84:panel_3da0947d-f5e2-4c52-8577-d313a6256c84", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-b4585cb0-541c-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-b4585cb0-541c-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..cf8406b04f --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-b4585cb0-541c-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3732d54a-b698-4a66-baef-5d0674eff6c9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3732d54a-b698-4a66-baef-5d0674eff6c9\":{\"columnOrder\":[\"eaf6d751-71b7-431a-b597-6f58857c0ea9\"],\"columns\":{\"eaf6d751-71b7-431a-b597-6f58857c0ea9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"users logged on\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"user-logged-on\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"user-logged-on\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eaf6d751-71b7-431a-b597-6f58857c0ea9\",\"layerId\":\"3732d54a-b698-4a66-baef-5d0674eff6c9\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0668cb1c-3653-44fd-9011-207eee1d886c\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"0668cb1c-3653-44fd-9011-207eee1d886c\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d1772930-cd84-4843-ad0d-64b5bf4d1e9c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d1772930-cd84-4843-ad0d-64b5bf4d1e9c\":{\"columnOrder\":[\"4abe2c7c-88ea-4177-8ea9-aaa8f34bc902\"],\"columns\":{\"4abe2c7c-88ea-4177-8ea9-aaa8f34bc902\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"login failed attempts\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"logon-authentication-failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"logon-authentication-failed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"4abe2c7c-88ea-4177-8ea9-aaa8f34bc902\",\"layerId\":\"d1772930-cd84-4843-ad0d-64b5bf4d1e9c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7c8c2048-f7b1-42f5-8558-61efea1be46d\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"7c8c2048-f7b1-42f5-8558-61efea1be46d\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e10fb6fc-8079-4a60-9ea5-f54da0eff2f6\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e10fb6fc-8079-4a60-9ea5-f54da0eff2f6\":{\"columnOrder\":[\"13c9775c-4b14-4314-a394-e97ffc0e1499\",\"a7feab8c-0abd-49eb-96cb-f7a351fa44d3\",\"07a0c304-5e0b-4fc7-9b79-e81ddcbe766e\",\"01f5144f-929b-4f88-8a0e-995d804e0037\"],\"columns\":{\"01f5144f-929b-4f88-8a0e-995d804e0037\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"07a0c304-5e0b-4fc7-9b79-e81ddcbe766e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"src\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"01f5144f-929b-4f88-8a0e-995d804e0037\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"client.ip\"},\"13c9775c-4b14-4314-a394-e97ffc0e1499\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"user\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"01f5144f-929b-4f88-8a0e-995d804e0037\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.email\"},\"a7feab8c-0abd-49eb-96cb-f7a351fa44d3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"app\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"01f5144f-929b-4f88-8a0e-995d804e0037\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"mimecast.application\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"logon-authentication-failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"logon-authentication-failed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"mimecast.audit_events\\\" \"},\"visualization\":{\"columns\":[{\"columnId\":\"13c9775c-4b14-4314-a394-e97ffc0e1499\",\"isTransposed\":false},{\"columnId\":\"a7feab8c-0abd-49eb-96cb-f7a351fa44d3\",\"isTransposed\":false},{\"columnId\":\"07a0c304-5e0b-4fc7-9b79-e81ddcbe766e\",\"isTransposed\":false},{\"columnId\":\"01f5144f-929b-4f88-8a0e-995d804e0037\",\"isTransposed\":false}],\"layerId\":\"e10fb6fc-8079-4a60-9ea5-f54da0eff2f6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f6516880-2d97-4b93-87bb-92f35c377e3b\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"f6516880-2d97-4b93-87bb-92f35c377e3b\",\"title\":\"[Mimecast] Failed authentication by user, app and src\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"6d200d4d-9645-457c-82ee-84bfb2da30ca\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"client.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"d0374776-f76c-46ed-a656-a0a35583a2ba\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"84b4eec1-9626-4236-8164-b59027952799\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.5,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":0.83,\\\"center\\\":{\\\"lon\\\":4.00755,\\\"lat\\\":40.62529},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-1y/d\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[{\\\"meta\\\":{\\\"index\\\":\\\"logs-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"data_stream.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"mimecast.audit_events\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"data_stream.dataset\\\":\\\"mimecast.audit_events\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}},{\\\"meta\\\":{\\\"index\\\":\\\"logs-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.action\\\",\\\"params\\\":{\\\"query\\\":\\\"logon-authentication-failed\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.action\\\":\\\"logon-authentication-failed\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":45.66276,\"lon\":4.00755,\"zoom\":0.83},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"314e1d17-5eaf-4341-854a-2956bbef1870\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"314e1d17-5eaf-4341-854a-2956bbef1870\",\"title\":\"[Mimecast] Failed authentication by country\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5e6b4ed3-3f2b-4ee4-b6e3-ba2ef880aa79\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"5e6b4ed3-3f2b-4ee4-b6e3-ba2ef880aa79\",\"panelRefName\":\"panel_5e6b4ed3-3f2b-4ee4-b6e3-ba2ef880aa79\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8b954556-f449-4d03-88c5-9ba86af34244\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"8b954556-f449-4d03-88c5-9ba86af34244\",\"panelRefName\":\"panel_8b954556-f449-4d03-88c5-9ba86af34244\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] Access Logs Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-b4585cb0-541c-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0668cb1c-3653-44fd-9011-207eee1d886c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0668cb1c-3653-44fd-9011-207eee1d886c:indexpattern-datasource-layer-3732d54a-b698-4a66-baef-5d0674eff6c9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0668cb1c-3653-44fd-9011-207eee1d886c:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0668cb1c-3653-44fd-9011-207eee1d886c:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8c2048-f7b1-42f5-8558-61efea1be46d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8c2048-f7b1-42f5-8558-61efea1be46d:indexpattern-datasource-layer-d1772930-cd84-4843-ad0d-64b5bf4d1e9c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8c2048-f7b1-42f5-8558-61efea1be46d:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8c2048-f7b1-42f5-8558-61efea1be46d:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6516880-2d97-4b93-87bb-92f35c377e3b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6516880-2d97-4b93-87bb-92f35c377e3b:indexpattern-datasource-layer-e10fb6fc-8079-4a60-9ea5-f54da0eff2f6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6516880-2d97-4b93-87bb-92f35c377e3b:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6516880-2d97-4b93-87bb-92f35c377e3b:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "314e1d17-5eaf-4341-854a-2956bbef1870:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "mimecast-0d8b0660-3fdd-11ec-8ace-9fcc35bfe253", + "name": "5e6b4ed3-3f2b-4ee4-b6e3-ba2ef880aa79:panel_5e6b4ed3-3f2b-4ee4-b6e3-ba2ef880aa79", + "type": "search" + }, + { + "id": "mimecast-96ac7780-541e-11ec-bd43-b5e1f9a9c8d5", + "name": "8b954556-f449-4d03-88c5-9ba86af34244:panel_8b954556-f449-4d03-88c5-9ba86af34244", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-bca36430-540f-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-bca36430-540f-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..9d87bcc5cd --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-bca36430-540f-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.siem_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.siem_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1faf17aa-0298-4830-a031-00f1b48435b6\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1faf17aa-0298-4830-a031-00f1b48435b6\":{\"columnOrder\":[\"95cdbe62-23e4-43ee-9bab-123bfc4a3e68\",\"c9f7cf64-8a98-4e3c-b12c-a22d26ca20be\",\"2611cbf0-c905-44cc-a98e-25fbdcd5dbee\"],\"columns\":{\"2611cbf0-c905-44cc-a98e-25fbdcd5dbee\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"95cdbe62-23e4-43ee-9bab-123bfc4a3e68\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1d\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"c9f7cf64-8a98-4e3c-b12c-a22d26ca20be\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of email.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2611cbf0-c905-44cc-a98e-25fbdcd5dbee\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":4},\"scale\":\"ordinal\",\"sourceField\":\"email.direction\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.siem_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.siem_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2611cbf0-c905-44cc-a98e-25fbdcd5dbee\"],\"layerId\":\"1faf17aa-0298-4830-a031-00f1b48435b6\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"c9f7cf64-8a98-4e3c-b12c-a22d26ca20be\",\"xAccessor\":\"95cdbe62-23e4-43ee-9bab-123bfc4a3e68\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"8f10a0bb-d41d-4e2b-8e95-e17790cf0728\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8f10a0bb-d41d-4e2b-8e95-e17790cf0728\",\"title\":\"SIEM Logs - Email Activity Summary\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8a4f8003-e917-44ab-9b50-c46553bacd59\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8a4f8003-e917-44ab-9b50-c46553bacd59\":{\"columnOrder\":[\"aaa283a2-4c24-432c-b7f3-a3304e800b51\",\"826ba46a-7476-493d-a256-c717d69e7d2b\"],\"columns\":{\"826ba46a-7476-493d-a256-c717d69e7d2b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"aaa283a2-4c24-432c-b7f3-a3304e800b51\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Held Reasons\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"826ba46a-7476-493d-a256-c717d69e7d2b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.reason\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.siem_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.siem_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.log_type\",\"negate\":false,\"params\":{\"query\":\"process\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.log_type\":\"process\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"Hld\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"Hld\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"aaa283a2-4c24-432c-b7f3-a3304e800b51\",\"isTransposed\":false},{\"columnId\":\"826ba46a-7476-493d-a256-c717d69e7d2b\",\"isTransposed\":false}],\"layerId\":\"8a4f8003-e917-44ab-9b50-c46553bacd59\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3031d781-05b7-4504-b23b-bd4d3233b22b\",\"w\":24,\"x\":24,\"y\":13},\"panelIndex\":\"3031d781-05b7-4504-b23b-bd4d3233b22b\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87e37d53-70f7-4337-86ed-832fcb7f9383\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87e37d53-70f7-4337-86ed-832fcb7f9383\":{\"columnOrder\":[\"482922c8-4843-45af-9b42-01c50685bfbe\",\"9643e088-9c36-476d-a969-244e0d2ecc23\"],\"columns\":{\"482922c8-4843-45af-9b42-01c50685bfbe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Delivery Failures\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9643e088-9c36-476d-a969-244e0d2ecc23\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"error.type\"},\"9643e088-9c36-476d-a969-244e0d2ecc23\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.siem_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.siem_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.log_type\",\"negate\":false,\"params\":{\"query\":\"delivery\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.log_type\":\"delivery\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"482922c8-4843-45af-9b42-01c50685bfbe\",\"isTransposed\":false},{\"columnId\":\"9643e088-9c36-476d-a969-244e0d2ecc23\",\"isTransposed\":false}],\"layerId\":\"87e37d53-70f7-4337-86ed-832fcb7f9383\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6ffda35-4fc4-4204-92c3-45d473823e00\",\"w\":24,\"x\":0,\"y\":13},\"panelIndex\":\"a6ffda35-4fc4-4204-92c3-45d473823e00\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e55c6dff-df9b-4c78-96e4-af36202efbde\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e55c6dff-df9b-4c78-96e4-af36202efbde\":{\"columnOrder\":[\"f8efadab-8604-4947-8ef2-7f0d38db76f4\",\"7f83a56b-b863-482d-962d-78a2e36940d5\"],\"columns\":{\"7f83a56b-b863-482d-962d-78a2e36940d5\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f8efadab-8604-4947-8ef2-7f0d38db76f4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rejections reasons\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7f83a56b-b863-482d-962d-78a2e36940d5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"error.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.siem_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.siem_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.log_type\",\"negate\":false,\"params\":{\"query\":\"receipt\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.log_type\":\"receipt\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"Rej\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"Rej\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"f8efadab-8604-4947-8ef2-7f0d38db76f4\"},{\"columnId\":\"7f83a56b-b863-482d-962d-78a2e36940d5\"}],\"layerId\":\"e55c6dff-df9b-4c78-96e4-af36202efbde\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b356a564-3af3-4721-8885-930f4933fda7\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"b356a564-3af3-4721-8885-930f4933fda7\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] SIEM Logs Dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-bca36430-540f-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8f10a0bb-d41d-4e2b-8e95-e17790cf0728:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8f10a0bb-d41d-4e2b-8e95-e17790cf0728:indexpattern-datasource-layer-1faf17aa-0298-4830-a031-00f1b48435b6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8f10a0bb-d41d-4e2b-8e95-e17790cf0728:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3031d781-05b7-4504-b23b-bd4d3233b22b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3031d781-05b7-4504-b23b-bd4d3233b22b:indexpattern-datasource-layer-8a4f8003-e917-44ab-9b50-c46553bacd59", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3031d781-05b7-4504-b23b-bd4d3233b22b:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3031d781-05b7-4504-b23b-bd4d3233b22b:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3031d781-05b7-4504-b23b-bd4d3233b22b:filter-index-pattern-2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6ffda35-4fc4-4204-92c3-45d473823e00:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6ffda35-4fc4-4204-92c3-45d473823e00:indexpattern-datasource-layer-87e37d53-70f7-4337-86ed-832fcb7f9383", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6ffda35-4fc4-4204-92c3-45d473823e00:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6ffda35-4fc4-4204-92c3-45d473823e00:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6ffda35-4fc4-4204-92c3-45d473823e00:filter-index-pattern-2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b356a564-3af3-4721-8885-930f4933fda7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b356a564-3af3-4721-8885-930f4933fda7:indexpattern-datasource-layer-e55c6dff-df9b-4c78-96e4-af36202efbde", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b356a564-3af3-4721-8885-930f4933fda7:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b356a564-3af3-4721-8885-930f4933fda7:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b356a564-3af3-4721-8885-930f4933fda7:filter-index-pattern-2", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-f22e62f0-5417-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-f22e62f0-5417-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..f16de4a8a3 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-f22e62f0-5417-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ip_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ip_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"fd58ca0b-aae6-4d02-9582-4431487f676d\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"fd58ca0b-aae6-4d02-9582-4431487f676d\",\"panelRefName\":\"panel_fd58ca0b-aae6-4d02-9582-4431487f676d\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"228c1edf-8ef3-4a4c-8d68-6f4d60b1685d\",\"w\":9,\"x\":10,\"y\":0},\"panelIndex\":\"228c1edf-8ef3-4a4c-8d68-6f4d60b1685d\",\"panelRefName\":\"panel_228c1edf-8ef3-4a4c-8d68-6f4d60b1685d\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"3de39cd9-d890-4300-848f-934dad8dc0e6\",\"w\":9,\"x\":19,\"y\":0},\"panelIndex\":\"3de39cd9-d890-4300-848f-934dad8dc0e6\",\"panelRefName\":\"panel_3de39cd9-d890-4300-848f-934dad8dc0e6\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"7b3289f7-cccd-4246-8927-befc10b8ec24\",\"w\":9,\"x\":28,\"y\":0},\"panelIndex\":\"7b3289f7-cccd-4246-8927-befc10b8ec24\",\"panelRefName\":\"panel_7b3289f7-cccd-4246-8927-befc10b8ec24\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"8df60631-ed88-490d-952b-33926d251709\",\"w\":10,\"x\":37,\"y\":0},\"panelIndex\":\"8df60631-ed88-490d-952b-33926d251709\",\"panelRefName\":\"panel_8df60631-ed88-490d-952b-33926d251709\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cc0ca8f3-6cdf-46d7-a3a8-88a1818b2340\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cc0ca8f3-6cdf-46d7-a3a8-88a1818b2340\":{\"columnOrder\":[\"ff48f1ba-4593-40a2-88f0-a317519f65a0\",\"379f2d4d-5cdb-495b-866b-a67eb523bd86\"],\"columns\":{\"379f2d4d-5cdb-495b-866b-a67eb523bd86\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"ff48f1ba-4593-40a2-88f0-a317519f65a0\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Senders\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"379f2d4d-5cdb-495b-866b-a67eb523bd86\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"email.from.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ip_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ip_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.taggedMalicious\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.taggedMalicious\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"ff48f1ba-4593-40a2-88f0-a317519f65a0\"},{\"columnId\":\"379f2d4d-5cdb-495b-866b-a67eb523bd86\"}],\"layerId\":\"cc0ca8f3-6cdf-46d7-a3a8-88a1818b2340\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"cfc0063f-6cf4-4eef-852d-4ec90c17a37e\",\"w\":24,\"x\":0,\"y\":13},\"panelIndex\":\"cfc0063f-6cf4-4eef-852d-4ec90c17a37e\",\"title\":\"Top potencial malious senders\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ab543c4a-7b11-40f3-bca3-74ea65af48f4\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ab543c4a-7b11-40f3-bca3-74ea65af48f4\":{\"columnOrder\":[\"e4e885a4-eebd-48b5-bf7a-1c8acf4553fa\",\"c09ef631-df6f-4df9-b8c2-9fa883d711e8\"],\"columns\":{\"c09ef631-df6f-4df9-b8c2-9fa883d711e8\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e4e885a4-eebd-48b5-bf7a-1c8acf4553fa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Recipients\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c09ef631-df6f-4df9-b8c2-9fa883d711e8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"email.to.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ip_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ip_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"mimecast.taggedMalicious\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.taggedMalicious\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"e4e885a4-eebd-48b5-bf7a-1c8acf4553fa\",\"isTransposed\":false},{\"columnId\":\"c09ef631-df6f-4df9-b8c2-9fa883d711e8\",\"isTransposed\":false}],\"layerId\":\"ab543c4a-7b11-40f3-bca3-74ea65af48f4\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"322232e8-3f6b-463d-8ab1-d0d16a8b66be\",\"w\":24,\"x\":24,\"y\":13},\"panelIndex\":\"322232e8-3f6b-463d-8ab1-d0d16a8b66be\",\"title\":\"Top potencial malious recipients\",\"type\":\"lens\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] TTP Impersonation Protect Logs", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-f22e62f0-5417-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "mimecast-09cd47c0-3e40-11ec-80fa-4dfb04910642", + "name": "fd58ca0b-aae6-4d02-9582-4431487f676d:panel_fd58ca0b-aae6-4d02-9582-4431487f676d", + "type": "lens" + }, + { + "id": "mimecast-47017670-3e40-11ec-80fa-4dfb04910642", + "name": "228c1edf-8ef3-4a4c-8d68-6f4d60b1685d:panel_228c1edf-8ef3-4a4c-8d68-6f4d60b1685d", + "type": "lens" + }, + { + "id": "mimecast-b06b3340-3e3f-11ec-80fa-4dfb04910642", + "name": "3de39cd9-d890-4300-848f-934dad8dc0e6:panel_3de39cd9-d890-4300-848f-934dad8dc0e6", + "type": "lens" + }, + { + "id": "mimecast-86374180-3e40-11ec-80fa-4dfb04910642", + "name": "7b3289f7-cccd-4246-8927-befc10b8ec24:panel_7b3289f7-cccd-4246-8927-befc10b8ec24", + "type": "lens" + }, + { + "id": "mimecast-8f37e6f0-3e3f-11ec-80fa-4dfb04910642", + "name": "8df60631-ed88-490d-952b-33926d251709:panel_8df60631-ed88-490d-952b-33926d251709", + "type": "lens" + }, + { + "id": "logs-*", + "name": "cfc0063f-6cf4-4eef-852d-4ec90c17a37e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfc0063f-6cf4-4eef-852d-4ec90c17a37e:indexpattern-datasource-layer-cc0ca8f3-6cdf-46d7-a3a8-88a1818b2340", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfc0063f-6cf4-4eef-852d-4ec90c17a37e:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfc0063f-6cf4-4eef-852d-4ec90c17a37e:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "322232e8-3f6b-463d-8ab1-d0d16a8b66be:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "322232e8-3f6b-463d-8ab1-d0d16a8b66be:indexpattern-datasource-layer-ab543c4a-7b11-40f3-bca3-74ea65af48f4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "322232e8-3f6b-463d-8ab1-d0d16a8b66be:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "322232e8-3f6b-463d-8ab1-d0d16a8b66be:filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/dashboard/mimecast-f8933590-541b-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-f8933590-541b-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..e6a19af3e6 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/dashboard/mimecast-f8933590-541b-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ad6d8a79-9568-4d8e-9edc-4d9fc858a0d1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"ad6d8a79-9568-4d8e-9edc-4d9fc858a0d1\",\"panelRefName\":\"panel_ad6d8a79-9568-4d8e-9edc-4d9fc858a0d1\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Mimecast] Audit Events Logs", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-f8933590-541b-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "mimecast-eb3179f0-51ed-11ec-a4ca-b3a74c021655", + "name": "ad6d8a79-9568-4d8e-9edc-4d9fc858a0d1:panel_ad6d8a79-9568-4d8e-9edc-4d9fc858a0d1", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/lens/mimecast-09cd47c0-3e40-11ec-80fa-4dfb04910642.json b/packages/mimecast/0.0.12/kibana/lens/mimecast-09cd47c0-3e40-11ec-80fa-4dfb04910642.json new file mode 100755 index 0000000000..4585d962f3 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/lens/mimecast-09cd47c0-3e40-11ec-80fa-4dfb04910642.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "10e24b74-6c1f-40d2-8d40-2ec39d2a437a": { + "columnOrder": [ + "922203eb-f986-4d8a-b662-c61723b140f5" + ], + "columns": { + "922203eb-f986-4d8a-b662-c61723b140f5": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mimecast.ttp_ip_logs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mimecast.ttp_ip_logs" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "mimecast.identifiers", + "negate": false, + "params": { + "query": "similar_internal_domain" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "mimecast.identifiers": "similar_internal_domain" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "922203eb-f986-4d8a-b662-c61723b140f5", + "layerId": "10e24b74-6c1f-40d2-8d40-2ec39d2a437a", + "layerType": "data" + } + }, + "title": "[Mimecast] SimilarInternalDomain", + "visualizationType": "lnsMetric" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-09cd47c0-3e40-11ec-80fa-4dfb04910642", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-10e24b74-6c1f-40d2-8d40-2ec39d2a437a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/lens/mimecast-47017670-3e40-11ec-80fa-4dfb04910642.json b/packages/mimecast/0.0.12/kibana/lens/mimecast-47017670-3e40-11ec-80fa-4dfb04910642.json new file mode 100755 index 0000000000..d931786ec1 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/lens/mimecast-47017670-3e40-11ec-80fa-4dfb04910642.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4db9fb0a-46d2-4e86-9d51-b2dbb13522ad": { + "columnOrder": [ + "45ed899d-b0ba-4c0e-92f3-3b1331be047c" + ], + "columns": { + "45ed899d-b0ba-4c0e-92f3-3b1331be047c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mimecast.ttp_ip_logs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mimecast.ttp_ip_logs" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "mimecast.identifiers", + "negate": false, + "params": { + "query": "reply_address_mismatch" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "mimecast.identifiers": "reply_address_mismatch" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"mimecast.ttp_ip_logs\" and mimecast.identifiers :\"reply_address_mismatch\" " + }, + "visualization": { + "accessor": "45ed899d-b0ba-4c0e-92f3-3b1331be047c", + "layerId": "4db9fb0a-46d2-4e86-9d51-b2dbb13522ad", + "layerType": "data" + } + }, + "title": "[Mimecast] ReplyAddressMismatchCount", + "visualizationType": "lnsMetric" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-47017670-3e40-11ec-80fa-4dfb04910642", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4db9fb0a-46d2-4e86-9d51-b2dbb13522ad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/lens/mimecast-86374180-3e40-11ec-80fa-4dfb04910642.json b/packages/mimecast/0.0.12/kibana/lens/mimecast-86374180-3e40-11ec-80fa-4dfb04910642.json new file mode 100755 index 0000000000..f634a3e195 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/lens/mimecast-86374180-3e40-11ec-80fa-4dfb04910642.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "2a67dfff-4a02-4ee1-9b79-ae7dc549c8fa": { + "columnOrder": [ + "5def3667-368a-4501-bd58-e87f1388d33a" + ], + "columns": { + "5def3667-368a-4501-bd58-e87f1388d33a": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mimecast.ttp_ip_logs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mimecast.ttp_ip_logs" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "mimecast.identifiers", + "negate": false, + "params": { + "query": "newly_observed_domain" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "mimecast.identifiers": "newly_observed_domain" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "5def3667-368a-4501-bd58-e87f1388d33a", + "layerId": "2a67dfff-4a02-4ee1-9b79-ae7dc549c8fa", + "layerType": "data" + } + }, + "title": "[Mimecast] NewlyObservedDomainCount", + "visualizationType": "lnsMetric" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-86374180-3e40-11ec-80fa-4dfb04910642", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2a67dfff-4a02-4ee1-9b79-ae7dc549c8fa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/lens/mimecast-8f37e6f0-3e3f-11ec-80fa-4dfb04910642.json b/packages/mimecast/0.0.12/kibana/lens/mimecast-8f37e6f0-3e3f-11ec-80fa-4dfb04910642.json new file mode 100755 index 0000000000..333c7a05d1 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/lens/mimecast-8f37e6f0-3e3f-11ec-80fa-4dfb04910642.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b07c48c6-9c2e-4373-9b81-a516192f6271": { + "columnOrder": [ + "85cafc43-5331-4ca7-853e-17c557791de0" + ], + "columns": { + "85cafc43-5331-4ca7-853e-17c557791de0": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mimecast.ttp_ip_logs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mimecast.ttp_ip_logs" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "mimecast.identifiers", + "negate": false, + "params": { + "query": "advanced_similar_internal_domain" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "mimecast.identifiers": "advanced_similar_internal_domain" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "85cafc43-5331-4ca7-853e-17c557791de0", + "layerId": "b07c48c6-9c2e-4373-9b81-a516192f6271", + "layerType": "data" + } + }, + "title": "[Mimecast] AdvancedSimilarInternalDomainCount", + "visualizationType": "lnsMetric" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-8f37e6f0-3e3f-11ec-80fa-4dfb04910642", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b07c48c6-9c2e-4373-9b81-a516192f6271", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/lens/mimecast-b06b3340-3e3f-11ec-80fa-4dfb04910642.json b/packages/mimecast/0.0.12/kibana/lens/mimecast-b06b3340-3e3f-11ec-80fa-4dfb04910642.json new file mode 100755 index 0000000000..920a1994f0 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/lens/mimecast-b06b3340-3e3f-11ec-80fa-4dfb04910642.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "2765d4bc-f979-4fab-9c1c-f1dd817397a9": { + "columnOrder": [ + "d26907e8-8968-43cf-bec1-174a1eb2e58c" + ], + "columns": { + "d26907e8-8968-43cf-bec1-174a1eb2e58c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mimecast.ttp_ip_logs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mimecast.ttp_ip_logs" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "mimecast.identifiers", + "negate": false, + "params": { + "query": "internal_user_name" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "mimecast.identifiers": "internal_user_name" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d26907e8-8968-43cf-bec1-174a1eb2e58c", + "layerId": "2765d4bc-f979-4fab-9c1c-f1dd817397a9", + "layerType": "data" + } + }, + "title": "[Mimecast] InternalUserName", + "visualizationType": "lnsMetric" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-b06b3340-3e3f-11ec-80fa-4dfb04910642", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2765d4bc-f979-4fab-9c1c-f1dd817397a9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/search/mimecast-0d8b0660-3fdd-11ec-8ace-9fcc35bfe253.json b/packages/mimecast/0.0.12/kibana/search/mimecast-0d8b0660-3fdd-11ec-8ace-9fcc35bfe253.json new file mode 100755 index 0000000000..9cf07881b1 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/search/mimecast-0d8b0660-3fdd-11ec-8ace-9fcc35bfe253.json @@ -0,0 +1,46 @@ +{ + "attributes": { + "columns": [ + "@timestamp", + "user.email", + "mimecast.application", + "client.ip" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"user-logged-on\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"user-logged-on\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Mimecast] Top active user by login" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-0d8b0660-3fdd-11ec-8ace-9fcc35bfe253", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/search/mimecast-96ac7780-541e-11ec-bd43-b5e1f9a9c8d5.json b/packages/mimecast/0.0.12/kibana/search/mimecast-96ac7780-541e-11ec-bd43-b5e1f9a9c8d5.json new file mode 100755 index 0000000000..ef8d3849f6 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/search/mimecast-96ac7780-541e-11ec-bd43-b5e1f9a9c8d5.json @@ -0,0 +1,46 @@ +{ + "attributes": { + "columns": [ + "@timestamp", + "user.email", + "mimecast.application", + "client.ip" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"logon-authentication-failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"logon-authentication-failed\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Mimecast] Most recent failed authentication" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-96ac7780-541e-11ec-bd43-b5e1f9a9c8d5", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/search/mimecast-9749a210-3e4a-11ec-80fa-4dfb04910642.json b/packages/mimecast/0.0.12/kibana/search/mimecast-9749a210-3e4a-11ec-80fa-4dfb04910642.json new file mode 100755 index 0000000000..a0afaf7ef5 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/search/mimecast-9749a210-3e4a-11ec-80fa-4dfb04910642.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "columns": [ + "@timestamp", + "email.attachments.file.extension", + "email.attachments.file.mime_type", + "email.attachments.file.hash.sha256", + "email.attachments.file.name" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_ap_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_ap_logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"mimecast.result\",\"negate\":false,\"params\":{\"query\":\"malicious\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"mimecast.result\":\"malicious\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Mimecast] Most recent attachment threats" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-9749a210-3e4a-11ec-80fa-4dfb04910642", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/search/mimecast-bfb8e8f0-4084-11ec-b8da-95c3fba730d0.json b/packages/mimecast/0.0.12/kibana/search/mimecast-bfb8e8f0-4084-11ec-b8da-95c3fba730d0.json new file mode 100755 index 0000000000..aa382aa649 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/search/mimecast-bfb8e8f0-4084-11ec-b8da-95c3fba730d0.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "columns": [ + "@timestamp", + "mimecast.id", + "threat.indicator.first_seen", + "threat.indicator.modified_at", + "threat.indicator.file.hash.sha256", + "threat.indicator.type" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_customer\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_customer\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Mimecast] Threat Intel Feed Targeted - Most recent logs" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-bfb8e8f0-4084-11ec-b8da-95c3fba730d0", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/search/mimecast-df42cb00-4084-11ec-b8da-95c3fba730d0.json b/packages/mimecast/0.0.12/kibana/search/mimecast-df42cb00-4084-11ec-b8da-95c3fba730d0.json new file mode 100755 index 0000000000..e1d64eee35 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/search/mimecast-df42cb00-4084-11ec-b8da-95c3fba730d0.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "columns": [ + "@timestamp", + "mimecast.id", + "threat.indicator.first_seen", + "threat.indicator.modified_at", + "threat.indicator.file.hash.sha256", + "threat.indicator.type" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.threat_intel_malware_grid\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.threat_intel_malware_grid\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Mimecast] Threat Intel Feed Regional - Most recent logs" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-df42cb00-4084-11ec-b8da-95c3fba730d0", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/search/mimecast-eb3179f0-51ed-11ec-a4ca-b3a74c021655.json b/packages/mimecast/0.0.12/kibana/search/mimecast-eb3179f0-51ed-11ec-a4ca-b3a74c021655.json new file mode 100755 index 0000000000..26d3ecf3c3 --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/search/mimecast-eb3179f0-51ed-11ec-a4ca-b3a74c021655.json @@ -0,0 +1,45 @@ +{ + "attributes": { + "columns": [ + "event.action", + "user.name", + "user.email", + "user.domain", + "client.ip", + "client.as.organization.name", + "client.geo.country_iso_code", + "mimecast.application" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.audit_events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.audit_events\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Mimecast] Most recent audit events" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-eb3179f0-51ed-11ec-a4ca-b3a74c021655", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/kibana/search/mimecast-fa36c5f0-3fef-11ec-8ace-9fcc35bfe253.json b/packages/mimecast/0.0.12/kibana/search/mimecast-fa36c5f0-3fef-11ec-8ace-9fcc35bfe253.json new file mode 100755 index 0000000000..96c3d68d4a --- /dev/null +++ b/packages/mimecast/0.0.12/kibana/search/mimecast-fa36c5f0-3fef-11ec-8ace-9fcc35bfe253.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "columns": [ + "@timestamp", + "mimecast.category", + "user.email", + "url.original", + "event.action", + "email.direction", + "mimecast.userOverride", + "mimecast.adminOverride", + "mimecast.scanResult", + "mimecast.action", + "rule.name" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"mimecast.ttp_url_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"mimecast.ttp_url_logs\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Mimecast] Most recent TTP URL logs" + }, + "coreMigrationVersion": "7.16.0", + "id": "mimecast-fa36c5f0-3fef-11ec-8ace-9fcc35bfe253", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/mimecast/0.0.12/manifest.yml b/packages/mimecast/0.0.12/manifest.yml new file mode 100755 index 0000000000..a11cef6fe6 --- /dev/null +++ b/packages/mimecast/0.0.12/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: mimecast +title: "Mimecast" +version: 0.0.12 +license: basic +description: "Collect logs from the Mimecast API with Elastic Agent." +type: integration +categories: + - security +release: beta +conditions: + kibana.version: "^7.17.0 || ^8.0.0" +screenshots: + - src: /img/mimecast.png + title: Sample screenshot + size: 600x600 + type: image/png +icons: + - src: /img/mimecast.svg + title: Sample logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: mimecast + title: Mimecast + description: Collect logs from the Mimecast API with Elastic Agent. + inputs: + - type: httpjson + title: Mimecast API + description: Collect logs from Mimecast API +owner: + github: elastic/security-external-integrations diff --git a/packages/netflow/2.0.1/changelog.yml b/packages/netflow/2.0.1/changelog.yml new file mode 100755 index 0000000000..b521cdc808 --- /dev/null +++ b/packages/netflow/2.0.1/changelog.yml @@ -0,0 +1,112 @@ +# newer versions go on top +- version: "2.0.1" + changes: + - description: Fix invalid value in sample event + type: bugfix + link: https://github.com/elastic/integrations/pull/3334 +- version: "2.0.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3263 +- version: "1.5.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "1.4.2" + changes: + - description: Replace invalid field value + type: enhancement + link: https://github.com/elastic/integrations/pull/3096 +- version: "1.4.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2424 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2220 +- version: "1.2.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2098 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1973 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1833 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1667 +- version: "1.1.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1489 +- version: '1.1.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1396 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1218 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1218 +- version: "0.4.1" + changes: + - description: Use `wildcard` field type for the relevant ECS fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/1179 +- version: "0.4.0" + changes: + - description: update to ECS 1.10.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1062 +- version: "0.3.9" + changes: + - description: add pipeline tests and move ecs.version set the to ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/1006 +- version: "0.3.8" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/857 +- version: "0.1.0" + changes: + - description: Change field type of `netflow.application_category_nam` and `netflow.application_sub_category_name` to keyword to ensure there are no type conflicts between vendors. + type: enhancement + link: https://github.com/elastic/integrations/pull/697 + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/23 diff --git a/packages/netflow/2.0.1/data_stream/log/agent/stream/netflow.yml.hbs b/packages/netflow/2.0.1/data_stream/log/agent/stream/netflow.yml.hbs new file mode 100755 index 0000000000..45be18a81e --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/agent/stream/netflow.yml.hbs @@ -0,0 +1,31 @@ +protocols: [v1, v5, v6, v7, v8, v9, ipfix] +host: '{{host}}:{{port}}' +max_message_size: '{{max_message_size}}' +expiration_timeout: '{{expiration_timeout}}' +queue_size: {{queue_size}} +{{#if timeout}} +timeout: '{{timeout}}' +{{/if}} +{{#if read_buffer}} +read_buffer: '{{read_buffer}}' +{{/if}} +{{#if custom_definitions}} +custom_definitions: +{{#each custom_definitions}} +- '{{this}}' +{{/each}} +{{/if}} +{{#if detect_sequence_reset}} +detect_sequence_reset: {{detect_sequence_reset}} +{{/if}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/netflow/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/netflow/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..a3ed6e0158 --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for NetFlow + +processors: + - set: + field: ecs.version + value: '8.2.0' + - convert: + field: network.iana_number + type: string + ignore_missing: true + ignore_failure: true + + - set: + field: event.category + value: + - network + - session + if: 'ctx.event?.category != null && ctx.event?.category == "network_session"' + + # IP Geolocation Lookup + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/netflow/2.0.1/data_stream/log/fields/agent.yml b/packages/netflow/2.0.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/netflow/2.0.1/data_stream/log/fields/base-fields.yml b/packages/netflow/2.0.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..12d5ac2a45 --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: netflow +- name: event.dataset + type: constant_keyword + description: Event dataset + value: netflow.log +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/netflow/2.0.1/data_stream/log/fields/ecs.yml b/packages/netflow/2.0.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..64d39d7f2e --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,1595 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Ephemeral identifier of this agent (if one exists). + This id normally changes across restarts, but `agent.id` does not. + name: agent.ephemeral_id + type: keyword +- description: |- + Unique identifier of this agent (if one exists). + Example: For Beats this would be beat.id. + name: agent.id + type: keyword +- description: |- + Custom name of the agent. + This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. + If no name is given, the name is often left empty. + name: agent.name + type: keyword +- description: |- + Type of the agent. + The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + name: agent.type + type: keyword +- description: Version of the agent. + name: agent.version + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: as.organization.name + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: client.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: client.geo.name + type: keyword +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: client.mac + type: keyword +- description: |- + Translated IP of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.port + type: long +- description: Packets sent from the client to the server. + name: client.packets + type: long +- description: Port of the client. + name: client.port + type: long +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.domain + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: client.user.group.id + type: keyword +- description: Name of the group. + name: client.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: client.user.hash + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Instance name of the host machine. + name: cloud.instance.name + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: Unique container id. + name: container.id + type: keyword +- description: Name of the image the container was built on. + name: container.image.name + type: keyword +- description: Container image tags. + name: container.image.tag + type: keyword +- description: Image labels. + name: container.labels + type: object +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: User email address. + name: destination.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: destination.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: destination.user.group.id + type: keyword +- description: Name of the group. + name: destination.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: destination.user.hash + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Unique identifier for the error. + name: error.id + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: The stack trace of this error in plain text. + multi_fields: + - name: text + type: match_only_text + name: error.stack_trace + type: wildcard +- description: The type of the error, for example the class name of the exception. + name: error.type + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + name: event.hash + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Normalized risk score or priority of the event, on a scale of 0 to 100. + This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + name: event.risk_score_norm + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Last time the file was accessed. + Note that not all filesystems keep track of access time. + name: file.accessed + type: date +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Device that is the source of the file. + name: file.device + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Primary group ID (GID) of the file. + name: file.gid + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: Mode of the file in octal representation. + name: file.mode + type: keyword +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Target path for symlinks. + multi_fields: + - name: text + type: match_only_text + name: file.target_path + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: The user ID (UID) or security identifier (SID) of the file owner. + name: file.uid + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Name of the continent. + name: geo.continent_name + type: keyword +- description: Country ISO code. + name: geo.country_iso_code + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: Longitude and latitude. + name: geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region ISO code. + name: geo.region_iso_code + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: MD5 hash. + name: hash.md5 + type: keyword +- description: SHA1 hash. + name: hash.sha1 + type: keyword +- description: SHA256 hash. + name: hash.sha256 + type: keyword +- description: SHA512 hash. + name: hash.sha512 + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: City name. + name: host.geo.city_name + type: keyword +- description: Name of the continent. + name: host.geo.continent_name + type: keyword +- description: Country ISO code. + name: host.geo.country_iso_code + type: keyword +- description: Country name. + name: host.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: host.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: host.geo.name + type: keyword +- description: Region ISO code. + name: host.geo.region_iso_code + type: keyword +- description: Region name. + name: host.geo.region_name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: host.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: host.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: host.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: host.os.platform + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: |- + Type of host. + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + name: host.type + type: keyword +- description: Seconds the host has been up. + name: host.uptime + type: long +- description: Size in bytes of the request body. + name: http.request.body.bytes + type: long +- description: The full HTTP request body. + multi_fields: + - name: text + type: match_only_text + name: http.request.body.content + type: wildcard +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: The full HTTP response body. + multi_fields: + - name: text + type: match_only_text + name: http.response.body.content + type: wildcard +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: The line number of the file containing the source code which originated the log event. + name: log.origin.file.line + type: long +- description: |- + The name of the file containing the source code which originated the log event. + Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + name: log.origin.file.name + type: keyword +- description: The name of the function or method which originated the log event. + name: log.origin.function + type: keyword +- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + name: log.syslog + type: object +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: City name. + name: observer.geo.city_name + type: keyword +- description: Name of the continent. + name: observer.geo.continent_name + type: keyword +- description: Country ISO code. + name: observer.geo.country_iso_code + type: keyword +- description: Country name. + name: observer.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: observer.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: observer.geo.name + type: keyword +- description: Region ISO code. + name: observer.geo.region_iso_code + type: keyword +- description: Region name. + name: observer.geo.region_name + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: observer.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: observer.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: observer.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: observer.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: observer.os.platform + type: keyword +- description: Operating system version as a raw string. + name: observer.os.version + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: organization.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: os.platform + type: keyword +- description: Operating system version as a raw string. + name: os.version + type: keyword +- description: Package architecture. + name: package.architecture + type: keyword +- description: Checksum of the installed package for verification. + name: package.checksum + type: keyword +- description: Description of the package. + name: package.description + type: keyword +- description: Indicating how the package was installed, e.g. user-local, global. + name: package.install_scope + type: keyword +- description: Time when package was installed. + name: package.installed + type: date +- description: |- + License under which the package was released. + Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + name: package.license + type: keyword +- description: Package name + name: package.name + type: keyword +- description: Path where the package is installed. + name: package.path + type: keyword +- description: Package size in bytes. + name: package.size + type: long +- description: Package version + name: package.version + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + Identifier of the group of processes the process belongs to. + name: process.pgid + type: long +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.start + type: date +- description: Thread ID. + name: process.thread.id + type: long +- description: Thread name. + name: process.thread.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: Seconds the process has been up. + name: process.uptime + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: server.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: server.as.organization.name + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: City name. + name: server.geo.city_name + type: keyword +- description: Name of the continent. + name: server.geo.continent_name + type: keyword +- description: Country ISO code. + name: server.geo.country_iso_code + type: keyword +- description: Country name. + name: server.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: server.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: server.geo.name + type: keyword +- description: Region ISO code. + name: server.geo.region_iso_code + type: keyword +- description: Region name. + name: server.geo.region_name + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + MAC address of the server. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: server.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.ip + type: ip +- description: |- + Translated port of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.port + type: long +- description: Packets sent from the server to the client. + name: server.packets + type: long +- description: Port of the server. + name: server.port + type: long +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.domain + type: keyword +- description: User email address. + name: server.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: server.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: server.user.group.id + type: keyword +- description: Name of the group. + name: server.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: server.user.hash + type: keyword +- description: Unique identifier of the user. + name: server.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + Ephemeral identifier of this service (if one exists). + This id normally changes across restarts, but `service.id` does not. + name: service.ephemeral_id + type: keyword +- description: |- + Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + name: service.id + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Name of a service node. + This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + name: service.node.name + type: keyword +- description: Current state of the service. + name: service.state + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + Version of the service the data was collected from. + This allows to look at a data set only for a specific version of a service. + name: service.version + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: source.user.group.id + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: source.user.hash + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + name: threat.framework + type: keyword +- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.id + type: keyword +- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + name: threat.tactic.name + type: keyword +- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.reference + type: keyword +- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.id + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + type: keyword +- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.reference + type: keyword +- description: |- + Unique identifier of the trace. + A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + name: trace.id + type: keyword +- description: |- + Unique identifier of the transaction within the scope of its trace. + A transaction is the highest level of work measured within a service, such as a request to a server. + name: transaction.id + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Name of the group. + name: user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: user.hash + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: user_agent.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: user_agent.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: user_agent.os.platform + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/netflow/2.0.1/data_stream/log/fields/package-fields.yml b/packages/netflow/2.0.1/data_stream/log/fields/package-fields.yml new file mode 100755 index 0000000000..1915b6a75d --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/fields/package-fields.yml @@ -0,0 +1,2689 @@ +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: flow.locality + type: keyword + description: Identifies whether the flow involved public IP addresses or only private address. +- name: flow.id + type: keyword + description: Hash of source and destination IPs. +- name: destination.locality + type: keyword + description: Whether the destination IP is private or public. +- name: source.locality + type: keyword + description: Whether the source IP is private or public. +- name: netflow + type: group + description: > + Fields from NetFlow and IPFIX. + + fields: + - name: type + type: keyword + description: > + The type of NetFlow record described by this event. + + - name: exporter + type: group + description: > + Metadata related to the exporter device that generated this record. + + fields: + - name: address + type: keyword + description: > + Exporter's network address in IP:port format. + + - name: source_id + type: long + description: > + Observation domain ID to which this record belongs. + + - name: timestamp + type: date + description: > + Time and date of export. + + - name: uptime_millis + type: long + description: > + How long the exporter process has been running, in milliseconds. + + - name: version + type: integer + description: > + NetFlow version used. + + - name: absolute_error + type: double + - name: address_pool_high_threshold + type: long + - name: address_pool_low_threshold + type: long + - name: address_port_mapping_high_threshold + type: long + - name: address_port_mapping_low_threshold + type: long + - name: address_port_mapping_per_user_high_threshold + type: long + - name: afc_protocol + type: integer + - name: afc_protocol_name + type: keyword + - name: anonymization_flags + type: integer + - name: anonymization_technique + type: integer + - name: application_business-relevance + type: long + - name: application_category_name + type: keyword + - name: application_description + type: keyword + - name: application_group_name + type: keyword + - name: application_http_uri_statistics + type: short + - name: application_http_user-agent + type: short + - name: application_id + type: short + - name: application_name + type: keyword + - name: application_sub_category_name + type: keyword + - name: application_traffic-class + type: long + - name: art_client_network_time_maximum + type: long + - name: art_client_network_time_minimum + type: long + - name: art_client_network_time_sum + type: long + - name: art_clientpackets + type: long + - name: art_count_late_responses + type: long + - name: art_count_new_connections + type: long + - name: art_count_responses + type: long + - name: art_count_responses_histogram_bucket1 + type: long + - name: art_count_responses_histogram_bucket2 + type: long + - name: art_count_responses_histogram_bucket3 + type: long + - name: art_count_responses_histogram_bucket4 + type: long + - name: art_count_responses_histogram_bucket5 + type: long + - name: art_count_responses_histogram_bucket6 + type: long + - name: art_count_responses_histogram_bucket7 + type: long + - name: art_count_retransmissions + type: long + - name: art_count_transactions + type: long + - name: art_network_time_maximum + type: long + - name: art_network_time_minimum + type: long + - name: art_network_time_sum + type: long + - name: art_response_time_maximum + type: long + - name: art_response_time_minimum + type: long + - name: art_response_time_sum + type: long + - name: art_server_network_time_maximum + type: long + - name: art_server_network_time_minimum + type: long + - name: art_server_network_time_sum + type: long + - name: art_server_response_time_maximum + type: long + - name: art_server_response_time_minimum + type: long + - name: art_server_response_time_sum + type: long + - name: art_serverpackets + type: long + - name: art_total_response_time_maximum + type: long + - name: art_total_response_time_minimum + type: long + - name: art_total_response_time_sum + type: long + - name: art_total_transaction_time_maximum + type: long + - name: art_total_transaction_time_minimum + type: long + - name: art_total_transaction_time_sum + type: long + - name: assembled_fragment_count + type: long + - name: audit_counter + type: long + - name: average_interarrival_time + type: long + - name: bgp_destination_as_number + type: long + - name: bgp_next_adjacent_as_number + type: long + - name: bgp_next_hop_ipv4_address + type: ip + - name: bgp_next_hop_ipv6_address + type: ip + - name: bgp_prev_adjacent_as_number + type: long + - name: bgp_source_as_number + type: long + - name: bgp_validity_state + type: short + - name: biflow_direction + type: short + - name: bind_ipv4_address + type: ip + - name: bind_transport_port + type: integer + - name: class_id + type: long + - name: class_name + type: keyword + - name: classification_engine_id + type: short + - name: collection_time_milliseconds + type: date + - name: collector_certificate + type: short + - name: collector_ipv4_address + type: ip + - name: collector_ipv6_address + type: ip + - name: collector_transport_port + type: integer + - name: common_properties_id + type: long + - name: confidence_level + type: double + - name: conn_ipv4_address + type: ip + - name: conn_transport_port + type: integer + - name: connection_sum_duration_seconds + type: long + - name: connection_transaction_id + type: long + - name: conntrack_id + type: long + - name: data_byte_count + type: long + - name: data_link_frame_section + type: short + - name: data_link_frame_size + type: integer + - name: data_link_frame_type + type: integer + - name: data_records_reliability + type: boolean + - name: delta_flow_count + type: long + - name: destination_ipv4_address + type: ip + - name: destination_ipv4_prefix + type: ip + - name: destination_ipv4_prefix_length + type: short + - name: destination_ipv6_address + type: ip + - name: destination_ipv6_prefix + type: ip + - name: destination_ipv6_prefix_length + type: short + - name: destination_mac_address + type: keyword + - name: destination_transport_port + type: integer + - name: digest_hash_value + type: long + - name: distinct_count_of_destination_ip_address + type: long + - name: distinct_count_of_destination_ipv4_address + type: long + - name: distinct_count_of_destination_ipv6_address + type: long + - name: distinct_count_of_source_ip_address + type: long + - name: distinct_count_of_source_ipv4_address + type: long + - name: distinct_count_of_source_ipv6_address + type: long + - name: dns_authoritative + type: short + - name: dns_cname + type: keyword + - name: dns_id + type: integer + - name: dns_mx_exchange + type: keyword + - name: dns_mx_preference + type: integer + - name: dns_nsd_name + type: keyword + - name: dns_nx_domain + type: short + - name: dns_ptrd_name + type: keyword + - name: dns_qname + type: keyword + - name: dns_qr_type + type: integer + - name: dns_query_response + type: short + - name: dns_rr_section + type: short + - name: dns_soa_expire + type: long + - name: dns_soa_minimum + type: long + - name: dns_soa_refresh + type: long + - name: dns_soa_retry + type: long + - name: dns_soa_serial + type: long + - name: dns_soam_name + type: keyword + - name: dns_soar_name + type: keyword + - name: dns_srv_port + type: integer + - name: dns_srv_priority + type: integer + - name: dns_srv_target + type: integer + - name: dns_srv_weight + type: integer + - name: dns_ttl + type: long + - name: dns_txt_data + type: keyword + - name: dot1q_customer_dei + type: boolean + - name: dot1q_customer_destination_mac_address + type: keyword + - name: dot1q_customer_priority + type: short + - name: dot1q_customer_source_mac_address + type: keyword + - name: dot1q_customer_vlan_id + type: integer + - name: dot1q_dei + type: boolean + - name: dot1q_priority + type: short + - name: dot1q_service_instance_id + type: long + - name: dot1q_service_instance_priority + type: short + - name: dot1q_service_instance_tag + type: short + - name: dot1q_vlan_id + type: integer + - name: dropped_layer2_octet_delta_count + type: long + - name: dropped_layer2_octet_total_count + type: long + - name: dropped_octet_delta_count + type: long + - name: dropped_octet_total_count + type: long + - name: dropped_packet_delta_count + type: long + - name: dropped_packet_total_count + type: long + - name: dst_traffic_index + type: long + - name: egress_broadcast_packet_total_count + type: long + - name: egress_interface + type: long + - name: egress_interface_type + type: long + - name: egress_physical_interface + type: long + - name: egress_unicast_packet_total_count + type: long + - name: egress_vrfid + type: long + - name: encrypted_technology + type: keyword + - name: engine_id + type: short + - name: engine_type + type: short + - name: ethernet_header_length + type: short + - name: ethernet_payload_length + type: integer + - name: ethernet_total_length + type: integer + - name: ethernet_type + type: integer + - name: expired_fragment_count + type: long + - name: export_interface + type: long + - name: export_protocol_version + type: short + - name: export_sctp_stream_id + type: integer + - name: export_transport_protocol + type: short + - name: exported_flow_record_total_count + type: long + - name: exported_message_total_count + type: long + - name: exported_octet_total_count + type: long + - name: exporter_certificate + type: short + - name: exporter_ipv4_address + type: ip + - name: exporter_ipv6_address + type: ip + - name: exporter_transport_port + type: integer + - name: exporting_process_id + type: long + - name: external_address_realm + type: short + - name: firewall_event + type: short + - name: first_eight_non_empty_packet_directions + type: short + - name: first_non_empty_packet_size + type: integer + - name: first_packet_banner + type: keyword + - name: flags_and_sampler_id + type: long + - name: flow_active_timeout + type: integer + - name: flow_attributes + type: integer + - name: flow_direction + type: short + - name: flow_duration_microseconds + type: long + - name: flow_duration_milliseconds + type: long + - name: flow_end_delta_microseconds + type: long + - name: flow_end_microseconds + type: date + - name: flow_end_milliseconds + type: date + - name: flow_end_nanoseconds + type: date + - name: flow_end_reason + type: short + - name: flow_end_seconds + type: date + - name: flow_end_sys_up_time + type: long + - name: flow_id + type: long + - name: flow_idle_timeout + type: integer + - name: flow_key_indicator + type: long + - name: flow_label_ipv6 + type: long + - name: flow_sampling_time_interval + type: long + - name: flow_sampling_time_spacing + type: long + - name: flow_selected_flow_delta_count + type: long + - name: flow_selected_octet_delta_count + type: long + - name: flow_selected_packet_delta_count + type: long + - name: flow_selector_algorithm + type: integer + - name: flow_start_delta_microseconds + type: long + - name: flow_start_microseconds + type: date + - name: flow_start_milliseconds + type: date + - name: flow_start_nanoseconds + type: date + - name: flow_start_seconds + type: date + - name: flow_start_sys_up_time + type: long + - name: flow_table_flush_event_count + type: long + - name: flow_table_peak_count + type: long + - name: forwarding_status + type: short + - name: fragment_flags + type: short + - name: fragment_identification + type: long + - name: fragment_offset + type: integer + - name: fw_blackout_secs + type: long + - name: fw_configured_value + type: long + - name: fw_cts_src_sgt + type: long + - name: fw_event_level + type: long + - name: fw_event_level_id + type: long + - name: fw_ext_event + type: integer + - name: fw_ext_event_alt + type: long + - name: fw_ext_event_desc + type: keyword + - name: fw_half_open_count + type: long + - name: fw_half_open_high + type: long + - name: fw_half_open_rate + type: long + - name: fw_max_sessions + type: long + - name: fw_rule + type: keyword + - name: fw_summary_pkt_count + type: long + - name: fw_zone_pair_id + type: long + - name: fw_zone_pair_name + type: long + - name: global_address_mapping_high_threshold + type: long + - name: gre_key + type: long + - name: hash_digest_output + type: boolean + - name: hash_flow_domain + type: integer + - name: hash_initialiser_value + type: long + - name: hash_ip_payload_offset + type: long + - name: hash_ip_payload_size + type: long + - name: hash_output_range_max + type: long + - name: hash_output_range_min + type: long + - name: hash_selected_range_max + type: long + - name: hash_selected_range_min + type: long + - name: http_content_type + type: keyword + - name: http_message_version + type: keyword + - name: http_reason_phrase + type: keyword + - name: http_request_host + type: keyword + - name: http_request_method + type: keyword + - name: http_request_target + type: keyword + - name: http_status_code + type: integer + - name: http_user_agent + type: keyword + - name: icmp_code_ipv4 + type: short + - name: icmp_code_ipv6 + type: short + - name: icmp_type_code_ipv4 + type: integer + - name: icmp_type_code_ipv6 + type: integer + - name: icmp_type_ipv4 + type: short + - name: icmp_type_ipv6 + type: short + - name: igmp_type + type: short + - name: ignored_data_record_total_count + type: long + - name: ignored_layer2_frame_total_count + type: long + - name: ignored_layer2_octet_total_count + type: long + - name: ignored_octet_total_count + type: long + - name: ignored_packet_total_count + type: long + - name: information_element_data_type + type: short + - name: information_element_description + type: keyword + - name: information_element_id + type: integer + - name: information_element_index + type: integer + - name: information_element_name + type: keyword + - name: information_element_range_begin + type: long + - name: information_element_range_end + type: long + - name: information_element_semantics + type: short + - name: information_element_units + type: integer + - name: ingress_broadcast_packet_total_count + type: long + - name: ingress_interface + type: long + - name: ingress_interface_type + type: long + - name: ingress_multicast_packet_total_count + type: long + - name: ingress_physical_interface + type: long + - name: ingress_unicast_packet_total_count + type: long + - name: ingress_vrfid + type: long + - name: initial_tcp_flags + type: short + - name: initiator_octets + type: long + - name: initiator_packets + type: long + - name: interface_description + type: keyword + - name: interface_name + type: keyword + - name: intermediate_process_id + type: long + - name: internal_address_realm + type: short + - name: ip_class_of_service + type: short + - name: ip_diff_serv_code_point + type: short + - name: ip_header_length + type: short + - name: ip_header_packet_section + type: short + - name: ip_next_hop_ipv4_address + type: ip + - name: ip_next_hop_ipv6_address + type: ip + - name: ip_payload_length + type: long + - name: ip_payload_packet_section + type: short + - name: ip_precedence + type: short + - name: ip_sec_spi + type: long + - name: ip_total_length + type: long + - name: ip_ttl + type: short + - name: ip_version + type: short + - name: ipv4_ihl + type: short + - name: ipv4_options + type: long + - name: ipv4_router_sc + type: ip + - name: ipv6_extension_headers + type: long + - name: is_multicast + type: short + - name: ixia_browser_id + type: short + - name: ixia_browser_name + type: keyword + - name: ixia_device_id + type: short + - name: ixia_device_name + type: keyword + - name: ixia_dns_answer + type: keyword + - name: ixia_dns_classes + type: keyword + - name: ixia_dns_query + type: keyword + - name: ixia_dns_record_txt + type: keyword + - name: ixia_dst_as_name + type: keyword + - name: ixia_dst_city_name + type: keyword + - name: ixia_dst_country_code + type: keyword + - name: ixia_dst_country_name + type: keyword + - name: ixia_dst_latitude + type: float + - name: ixia_dst_longitude + type: float + - name: ixia_dst_region_code + type: keyword + - name: ixia_dst_region_node + type: keyword + - name: ixia_encrypt_cipher + type: keyword + - name: ixia_encrypt_key_length + type: integer + - name: ixia_encrypt_type + type: keyword + - name: ixia_http_host_name + type: keyword + - name: ixia_http_uri + type: keyword + - name: ixia_http_user_agent + type: keyword + - name: ixia_imsi_subscriber + type: keyword + - name: ixia_l7_app_id + type: long + - name: ixia_l7_app_name + type: keyword + - name: ixia_latency + type: long + - name: ixia_rev_octet_delta_count + type: long + - name: ixia_rev_packet_delta_count + type: long + - name: ixia_src_as_name + type: keyword + - name: ixia_src_city_name + type: keyword + - name: ixia_src_country_code + type: keyword + - name: ixia_src_country_name + type: keyword + - name: ixia_src_latitude + type: float + - name: ixia_src_longitude + type: float + - name: ixia_src_region_code + type: keyword + - name: ixia_src_region_name + type: keyword + - name: ixia_threat_ipv4 + type: ip + - name: ixia_threat_ipv6 + type: ip + - name: ixia_threat_type + type: keyword + - name: large_packet_count + type: long + - name: layer2_frame_delta_count + type: long + - name: layer2_frame_total_count + type: long + - name: layer2_octet_delta_count + type: long + - name: layer2_octet_delta_sum_of_squares + type: long + - name: layer2_octet_total_count + type: long + - name: layer2_octet_total_sum_of_squares + type: long + - name: layer2_segment_id + type: long + - name: layer2packet_section_data + type: short + - name: layer2packet_section_offset + type: integer + - name: layer2packet_section_size + type: integer + - name: line_card_id + type: long + - name: log_op + type: short + - name: lower_ci_limit + type: double + - name: mark + type: long + - name: max_bib_entries + type: long + - name: max_entries_per_user + type: long + - name: max_export_seconds + type: date + - name: max_flow_end_microseconds + type: date + - name: max_flow_end_milliseconds + type: date + - name: max_flow_end_nanoseconds + type: date + - name: max_flow_end_seconds + type: date + - name: max_fragments_pending_reassembly + type: long + - name: max_packet_size + type: integer + - name: max_session_entries + type: long + - name: max_subscribers + type: long + - name: maximum_ip_total_length + type: long + - name: maximum_layer2_total_length + type: long + - name: maximum_ttl + type: short + - name: mean_flow_rate + type: long + - name: mean_packet_rate + type: long + - name: message_md5_checksum + type: short + - name: message_scope + type: short + - name: metering_process_id + type: long + - name: metro_evc_id + type: keyword + - name: metro_evc_type + type: short + - name: mib_capture_time_semantics + type: short + - name: mib_context_engine_id + type: short + - name: mib_context_name + type: keyword + - name: mib_index_indicator + type: long + - name: mib_module_name + type: keyword + - name: mib_object_description + type: keyword + - name: mib_object_identifier + type: short + - name: mib_object_name + type: keyword + - name: mib_object_syntax + type: keyword + - name: mib_object_value_bits + type: short + - name: mib_object_value_counter + type: long + - name: mib_object_value_gauge + type: long + - name: mib_object_value_integer + type: integer + - name: mib_object_value_ip_address + type: ip + - name: mib_object_value_octet_string + type: short + - name: mib_object_value_oid + type: short + - name: mib_object_value_time_ticks + type: long + - name: mib_object_value_unsigned + type: long + - name: mib_sub_identifier + type: long + - name: min_export_seconds + type: date + - name: min_flow_start_microseconds + type: date + - name: min_flow_start_milliseconds + type: date + - name: min_flow_start_nanoseconds + type: date + - name: min_flow_start_seconds + type: date + - name: minimum_ip_total_length + type: long + - name: minimum_layer2_total_length + type: long + - name: minimum_ttl + type: short + - name: mobile_imsi + type: keyword + - name: mobile_msisdn + type: keyword + - name: monitoring_interval_end_milli_seconds + type: date + - name: monitoring_interval_start_milli_seconds + type: date + - name: mpls_label_stack_depth + type: long + - name: mpls_label_stack_length + type: long + - name: mpls_label_stack_section + type: short + - name: mpls_label_stack_section10 + type: short + - name: mpls_label_stack_section2 + type: short + - name: mpls_label_stack_section3 + type: short + - name: mpls_label_stack_section4 + type: short + - name: mpls_label_stack_section5 + type: short + - name: mpls_label_stack_section6 + type: short + - name: mpls_label_stack_section7 + type: short + - name: mpls_label_stack_section8 + type: short + - name: mpls_label_stack_section9 + type: short + - name: mpls_payload_length + type: long + - name: mpls_payload_packet_section + type: short + - name: mpls_top_label_exp + type: short + - name: mpls_top_label_ipv4_address + type: ip + - name: mpls_top_label_ipv6_address + type: ip + - name: mpls_top_label_prefix_length + type: short + - name: mpls_top_label_stack_section + type: short + - name: mpls_top_label_ttl + type: short + - name: mpls_top_label_type + type: short + - name: mpls_vpn_route_distinguisher + type: short + - name: mptcp_address_id + type: short + - name: mptcp_flags + type: short + - name: mptcp_initial_data_sequence_number + type: long + - name: mptcp_maximum_segment_size + type: integer + - name: mptcp_receiver_token + type: long + - name: multicast_replication_factor + type: long + - name: nat_event + type: short + - name: nat_inside_svcid + type: integer + - name: nat_instance_id + type: long + - name: nat_originating_address_realm + type: short + - name: nat_outside_svcid + type: integer + - name: nat_pool_id + type: long + - name: nat_pool_name + type: keyword + - name: nat_quota_exceeded_event + type: long + - name: nat_sub_string + type: keyword + - name: nat_threshold_event + type: long + - name: nat_type + type: short + - name: netscale_ica_client_version + type: keyword + - name: netscaler_aaa_username + type: keyword + - name: netscaler_app_name + type: keyword + - name: netscaler_app_name_app_id + type: long + - name: netscaler_app_name_incarnation_number + type: long + - name: netscaler_app_template_name + type: keyword + - name: netscaler_app_unit_name_app_id + type: long + - name: netscaler_application_startup_duration + type: long + - name: netscaler_application_startup_time + type: long + - name: netscaler_cache_redir_client_connection_core_id + type: long + - name: netscaler_cache_redir_client_connection_transaction_id + type: long + - name: netscaler_client_rtt + type: long + - name: netscaler_connection_chain_hop_count + type: long + - name: netscaler_connection_chain_id + type: short + - name: netscaler_connection_id + type: long + - name: netscaler_current_license_consumed + type: long + - name: netscaler_db_clt_host_name + type: keyword + - name: netscaler_db_database_name + type: keyword + - name: netscaler_db_login_flags + type: long + - name: netscaler_db_protocol_name + type: short + - name: netscaler_db_req_string + type: keyword + - name: netscaler_db_req_type + type: short + - name: netscaler_db_resp_length + type: long + - name: netscaler_db_resp_status + type: long + - name: netscaler_db_resp_status_string + type: keyword + - name: netscaler_db_user_name + type: keyword + - name: netscaler_flow_flags + type: long + - name: netscaler_http_client_interaction_end_time + type: keyword + - name: netscaler_http_client_interaction_start_time + type: keyword + - name: netscaler_http_client_render_end_time + type: keyword + - name: netscaler_http_client_render_start_time + type: keyword + - name: netscaler_http_content_type + type: keyword + - name: netscaler_http_domain_name + type: keyword + - name: netscaler_http_req_authorization + type: keyword + - name: netscaler_http_req_cookie + type: keyword + - name: netscaler_http_req_forw_fb + type: long + - name: netscaler_http_req_forw_lb + type: long + - name: netscaler_http_req_host + type: keyword + - name: netscaler_http_req_method + type: keyword + - name: netscaler_http_req_rcv_fb + type: long + - name: netscaler_http_req_rcv_lb + type: long + - name: netscaler_http_req_referer + type: keyword + - name: netscaler_http_req_url + type: keyword + - name: netscaler_http_req_user_agent + type: keyword + - name: netscaler_http_req_via + type: keyword + - name: netscaler_http_req_xforwarded_for + type: keyword + - name: netscaler_http_res_forw_fb + type: long + - name: netscaler_http_res_forw_lb + type: long + - name: netscaler_http_res_location + type: keyword + - name: netscaler_http_res_rcv_fb + type: long + - name: netscaler_http_res_rcv_lb + type: long + - name: netscaler_http_res_set_cookie + type: keyword + - name: netscaler_http_res_set_cookie2 + type: keyword + - name: netscaler_http_rsp_len + type: long + - name: netscaler_http_rsp_status + type: integer + - name: netscaler_ica_app_module_path + type: keyword + - name: netscaler_ica_app_process_id + type: long + - name: netscaler_ica_application_name + type: keyword + - name: netscaler_ica_application_termination_time + type: long + - name: netscaler_ica_application_termination_type + type: integer + - name: netscaler_ica_channel_id1 + type: long + - name: netscaler_ica_channel_id1_bytes + type: long + - name: netscaler_ica_channel_id2 + type: long + - name: netscaler_ica_channel_id2_bytes + type: long + - name: netscaler_ica_channel_id3 + type: long + - name: netscaler_ica_channel_id3_bytes + type: long + - name: netscaler_ica_channel_id4 + type: long + - name: netscaler_ica_channel_id4_bytes + type: long + - name: netscaler_ica_channel_id5 + type: long + - name: netscaler_ica_channel_id5_bytes + type: long + - name: netscaler_ica_client_host_name + type: keyword + - name: netscaler_ica_client_ip + type: ip + - name: netscaler_ica_client_launcher + type: integer + - name: netscaler_ica_client_side_rto_count + type: integer + - name: netscaler_ica_client_side_window_size + type: integer + - name: netscaler_ica_client_type + type: integer + - name: netscaler_ica_clientside_delay + type: long + - name: netscaler_ica_clientside_jitter + type: long + - name: netscaler_ica_clientside_packets_retransmit + type: integer + - name: netscaler_ica_clientside_rtt + type: long + - name: netscaler_ica_clientside_rx_bytes + type: long + - name: netscaler_ica_clientside_srtt + type: long + - name: netscaler_ica_clientside_tx_bytes + type: long + - name: netscaler_ica_connection_priority + type: integer + - name: netscaler_ica_device_serial_no + type: long + - name: netscaler_ica_domain_name + type: keyword + - name: netscaler_ica_flags + type: long + - name: netscaler_ica_host_delay + type: long + - name: netscaler_ica_l7_client_latency + type: long + - name: netscaler_ica_l7_server_latency + type: long + - name: netscaler_ica_launch_mechanism + type: integer + - name: netscaler_ica_network_update_end_time + type: long + - name: netscaler_ica_network_update_start_time + type: long + - name: netscaler_ica_rtt + type: long + - name: netscaler_ica_server_name + type: keyword + - name: netscaler_ica_server_side_rto_count + type: integer + - name: netscaler_ica_server_side_window_size + type: integer + - name: netscaler_ica_serverside_delay + type: long + - name: netscaler_ica_serverside_jitter + type: long + - name: netscaler_ica_serverside_packets_retransmit + type: integer + - name: netscaler_ica_serverside_rtt + type: long + - name: netscaler_ica_serverside_srtt + type: long + - name: netscaler_ica_session_end_time + type: long + - name: netscaler_ica_session_guid + type: short + - name: netscaler_ica_session_reconnects + type: short + - name: netscaler_ica_session_setup_time + type: long + - name: netscaler_ica_session_update_begin_sec + type: long + - name: netscaler_ica_session_update_end_sec + type: long + - name: netscaler_ica_username + type: keyword + - name: netscaler_license_type + type: short + - name: netscaler_main_page_core_id + type: long + - name: netscaler_main_page_id + type: long + - name: netscaler_max_license_count + type: long + - name: netscaler_msi_client_cookie + type: short + - name: netscaler_round_trip_time + type: long + - name: netscaler_server_ttfb + type: long + - name: netscaler_server_ttlb + type: long + - name: netscaler_syslog_message + type: keyword + - name: netscaler_syslog_priority + type: short + - name: netscaler_syslog_timestamp + type: long + - name: netscaler_transaction_id + type: long + - name: netscaler_unknown270 + type: long + - name: netscaler_unknown271 + type: long + - name: netscaler_unknown272 + type: long + - name: netscaler_unknown273 + type: long + - name: netscaler_unknown274 + type: long + - name: netscaler_unknown275 + type: long + - name: netscaler_unknown276 + type: long + - name: netscaler_unknown277 + type: long + - name: netscaler_unknown278 + type: long + - name: netscaler_unknown279 + type: long + - name: netscaler_unknown280 + type: long + - name: netscaler_unknown281 + type: long + - name: netscaler_unknown282 + type: long + - name: netscaler_unknown283 + type: long + - name: netscaler_unknown284 + type: long + - name: netscaler_unknown285 + type: long + - name: netscaler_unknown286 + type: long + - name: netscaler_unknown287 + type: long + - name: netscaler_unknown288 + type: long + - name: netscaler_unknown289 + type: long + - name: netscaler_unknown290 + type: long + - name: netscaler_unknown291 + type: long + - name: netscaler_unknown292 + type: long + - name: netscaler_unknown293 + type: long + - name: netscaler_unknown294 + type: long + - name: netscaler_unknown295 + type: long + - name: netscaler_unknown296 + type: long + - name: netscaler_unknown297 + type: long + - name: netscaler_unknown298 + type: long + - name: netscaler_unknown299 + type: long + - name: netscaler_unknown300 + type: long + - name: netscaler_unknown301 + type: long + - name: netscaler_unknown302 + type: long + - name: netscaler_unknown303 + type: long + - name: netscaler_unknown304 + type: long + - name: netscaler_unknown305 + type: long + - name: netscaler_unknown306 + type: long + - name: netscaler_unknown307 + type: long + - name: netscaler_unknown308 + type: long + - name: netscaler_unknown309 + type: long + - name: netscaler_unknown310 + type: long + - name: netscaler_unknown311 + type: long + - name: netscaler_unknown312 + type: long + - name: netscaler_unknown313 + type: long + - name: netscaler_unknown314 + type: long + - name: netscaler_unknown315 + type: long + - name: netscaler_unknown316 + type: keyword + - name: netscaler_unknown317 + type: long + - name: netscaler_unknown318 + type: long + - name: netscaler_unknown319 + type: keyword + - name: netscaler_unknown320 + type: integer + - name: netscaler_unknown321 + type: long + - name: netscaler_unknown322 + type: long + - name: netscaler_unknown323 + type: integer + - name: netscaler_unknown324 + type: integer + - name: netscaler_unknown325 + type: integer + - name: netscaler_unknown326 + type: integer + - name: netscaler_unknown327 + type: long + - name: netscaler_unknown328 + type: integer + - name: netscaler_unknown329 + type: integer + - name: netscaler_unknown330 + type: integer + - name: netscaler_unknown331 + type: integer + - name: netscaler_unknown332 + type: long + - name: netscaler_unknown333 + type: keyword + - name: netscaler_unknown334 + type: keyword + - name: netscaler_unknown335 + type: long + - name: netscaler_unknown336 + type: long + - name: netscaler_unknown337 + type: long + - name: netscaler_unknown338 + type: long + - name: netscaler_unknown339 + type: long + - name: netscaler_unknown340 + type: long + - name: netscaler_unknown341 + type: long + - name: netscaler_unknown342 + type: long + - name: netscaler_unknown343 + type: long + - name: netscaler_unknown344 + type: long + - name: netscaler_unknown345 + type: long + - name: netscaler_unknown346 + type: long + - name: netscaler_unknown347 + type: long + - name: netscaler_unknown348 + type: integer + - name: netscaler_unknown349 + type: keyword + - name: netscaler_unknown350 + type: keyword + - name: netscaler_unknown351 + type: keyword + - name: netscaler_unknown352 + type: integer + - name: netscaler_unknown353 + type: long + - name: netscaler_unknown354 + type: long + - name: netscaler_unknown355 + type: long + - name: netscaler_unknown356 + type: long + - name: netscaler_unknown357 + type: long + - name: netscaler_unknown363 + type: short + - name: netscaler_unknown383 + type: short + - name: netscaler_unknown391 + type: long + - name: netscaler_unknown398 + type: long + - name: netscaler_unknown404 + type: long + - name: netscaler_unknown405 + type: long + - name: netscaler_unknown427 + type: long + - name: netscaler_unknown429 + type: short + - name: netscaler_unknown432 + type: short + - name: netscaler_unknown433 + type: short + - name: netscaler_unknown453 + type: long + - name: netscaler_unknown465 + type: long + - name: new_connection_delta_count + type: long + - name: next_header_ipv6 + type: short + - name: non_empty_packet_count + type: long + - name: not_sent_flow_total_count + type: long + - name: not_sent_layer2_octet_total_count + type: long + - name: not_sent_octet_total_count + type: long + - name: not_sent_packet_total_count + type: long + - name: observation_domain_id + type: long + - name: observation_domain_name + type: keyword + - name: observation_point_id + type: long + - name: observation_point_type + type: short + - name: observation_time_microseconds + type: date + - name: observation_time_milliseconds + type: date + - name: observation_time_nanoseconds + type: date + - name: observation_time_seconds + type: date + - name: observed_flow_total_count + type: long + - name: octet_delta_count + type: long + - name: octet_delta_sum_of_squares + type: long + - name: octet_total_count + type: long + - name: octet_total_sum_of_squares + type: long + - name: opaque_octets + type: short + - name: original_exporter_ipv4_address + type: ip + - name: original_exporter_ipv6_address + type: ip + - name: original_flows_completed + type: long + - name: original_flows_initiated + type: long + - name: original_flows_present + type: long + - name: original_observation_domain_id + type: long + - name: os_finger_print + type: keyword + - name: os_name + type: keyword + - name: os_version + type: keyword + - name: p2p_technology + type: keyword + - name: packet_delta_count + type: long + - name: packet_total_count + type: long + - name: padding_octets + type: short + - name: payload + type: keyword + - name: payload_entropy + type: short + - name: payload_length_ipv6 + type: integer + - name: policy_qos_classification_hierarchy + type: long + - name: policy_qos_queue_index + type: long + - name: policy_qos_queuedrops + type: long + - name: policy_qos_queueindex + type: long + - name: port_id + type: long + - name: port_range_end + type: integer + - name: port_range_num_ports + type: integer + - name: port_range_start + type: integer + - name: port_range_step_size + type: integer + - name: post_destination_mac_address + type: keyword + - name: post_dot1q_customer_vlan_id + type: integer + - name: post_dot1q_vlan_id + type: integer + - name: post_ip_class_of_service + type: short + - name: post_ip_diff_serv_code_point + type: short + - name: post_ip_precedence + type: short + - name: post_layer2_octet_delta_count + type: long + - name: post_layer2_octet_total_count + type: long + - name: post_mcast_layer2_octet_delta_count + type: long + - name: post_mcast_layer2_octet_total_count + type: long + - name: post_mcast_octet_delta_count + type: long + - name: post_mcast_octet_total_count + type: long + - name: post_mcast_packet_delta_count + type: long + - name: post_mcast_packet_total_count + type: long + - name: post_mpls_top_label_exp + type: short + - name: post_napt_destination_transport_port + type: integer + - name: post_napt_source_transport_port + type: integer + - name: post_nat_destination_ipv4_address + type: ip + - name: post_nat_destination_ipv6_address + type: ip + - name: post_nat_source_ipv4_address + type: ip + - name: post_nat_source_ipv6_address + type: ip + - name: post_octet_delta_count + type: long + - name: post_octet_total_count + type: long + - name: post_packet_delta_count + type: long + - name: post_packet_total_count + type: long + - name: post_source_mac_address + type: keyword + - name: post_vlan_id + type: integer + - name: private_enterprise_number + type: long + - name: procera_apn + type: keyword + - name: procera_base_service + type: keyword + - name: procera_content_categories + type: keyword + - name: procera_device_id + type: long + - name: procera_external_rtt + type: integer + - name: procera_flow_behavior + type: keyword + - name: procera_ggsn + type: keyword + - name: procera_http_content_type + type: keyword + - name: procera_http_file_length + type: long + - name: procera_http_language + type: keyword + - name: procera_http_location + type: keyword + - name: procera_http_referer + type: keyword + - name: procera_http_request_method + type: keyword + - name: procera_http_request_version + type: keyword + - name: procera_http_response_status + type: integer + - name: procera_http_url + type: keyword + - name: procera_http_user_agent + type: keyword + - name: procera_imsi + type: long + - name: procera_incoming_octets + type: long + - name: procera_incoming_packets + type: long + - name: procera_incoming_shaping_drops + type: long + - name: procera_incoming_shaping_latency + type: integer + - name: procera_internal_rtt + type: integer + - name: procera_local_ipv4_host + type: ip + - name: procera_local_ipv6_host + type: ip + - name: procera_msisdn + type: long + - name: procera_outgoing_octets + type: long + - name: procera_outgoing_packets + type: long + - name: procera_outgoing_shaping_drops + type: long + - name: procera_outgoing_shaping_latency + type: integer + - name: procera_property + type: keyword + - name: procera_qoe_incoming_external + type: float + - name: procera_qoe_incoming_internal + type: float + - name: procera_qoe_outgoing_external + type: float + - name: procera_qoe_outgoing_internal + type: float + - name: procera_rat + type: keyword + - name: procera_remote_ipv4_host + type: ip + - name: procera_remote_ipv6_host + type: ip + - name: procera_rnc + type: integer + - name: procera_server_hostname + type: keyword + - name: procera_service + type: keyword + - name: procera_sgsn + type: keyword + - name: procera_subscriber_identifier + type: keyword + - name: procera_template_name + type: keyword + - name: procera_user_location_information + type: keyword + - name: protocol_identifier + type: short + - name: pseudo_wire_control_word + type: long + - name: pseudo_wire_destination_ipv4_address + type: ip + - name: pseudo_wire_id + type: long + - name: pseudo_wire_type + type: integer + - name: reason + type: long + - name: reason_text + type: keyword + - name: relative_error + type: double + - name: responder_octets + type: long + - name: responder_packets + type: long + - name: reverse_absolute_error + type: double + - name: reverse_anonymization_flags + type: integer + - name: reverse_anonymization_technique + type: integer + - name: reverse_application_category_name + type: keyword + - name: reverse_application_description + type: keyword + - name: reverse_application_group_name + type: keyword + - name: reverse_application_id + type: keyword + - name: reverse_application_name + type: keyword + - name: reverse_application_sub_category_name + type: keyword + - name: reverse_average_interarrival_time + type: long + - name: reverse_bgp_destination_as_number + type: long + - name: reverse_bgp_next_adjacent_as_number + type: long + - name: reverse_bgp_next_hop_ipv4_address + type: ip + - name: reverse_bgp_next_hop_ipv6_address + type: ip + - name: reverse_bgp_prev_adjacent_as_number + type: long + - name: reverse_bgp_source_as_number + type: long + - name: reverse_bgp_validity_state + type: short + - name: reverse_class_id + type: short + - name: reverse_class_name + type: keyword + - name: reverse_classification_engine_id + type: short + - name: reverse_collection_time_milliseconds + type: long + - name: reverse_collector_certificate + type: keyword + - name: reverse_confidence_level + type: double + - name: reverse_connection_sum_duration_seconds + type: long + - name: reverse_connection_transaction_id + type: long + - name: reverse_data_byte_count + type: long + - name: reverse_data_link_frame_section + type: keyword + - name: reverse_data_link_frame_size + type: integer + - name: reverse_data_link_frame_type + type: integer + - name: reverse_data_records_reliability + type: short + - name: reverse_delta_flow_count + type: long + - name: reverse_destination_ipv4_address + type: ip + - name: reverse_destination_ipv4_prefix + type: ip + - name: reverse_destination_ipv4_prefix_length + type: short + - name: reverse_destination_ipv6_address + type: ip + - name: reverse_destination_ipv6_prefix + type: ip + - name: reverse_destination_ipv6_prefix_length + type: short + - name: reverse_destination_mac_address + type: keyword + - name: reverse_destination_transport_port + type: integer + - name: reverse_digest_hash_value + type: long + - name: reverse_distinct_count_of_destination_ip_address + type: long + - name: reverse_distinct_count_of_destination_ipv4_address + type: long + - name: reverse_distinct_count_of_destination_ipv6_address + type: long + - name: reverse_distinct_count_of_source_ip_address + type: long + - name: reverse_distinct_count_of_source_ipv4_address + type: long + - name: reverse_distinct_count_of_source_ipv6_address + type: long + - name: reverse_dot1q_customer_dei + type: short + - name: reverse_dot1q_customer_destination_mac_address + type: keyword + - name: reverse_dot1q_customer_priority + type: short + - name: reverse_dot1q_customer_source_mac_address + type: keyword + - name: reverse_dot1q_customer_vlan_id + type: integer + - name: reverse_dot1q_dei + type: short + - name: reverse_dot1q_priority + type: short + - name: reverse_dot1q_service_instance_id + type: long + - name: reverse_dot1q_service_instance_priority + type: short + - name: reverse_dot1q_service_instance_tag + type: keyword + - name: reverse_dot1q_vlan_id + type: integer + - name: reverse_dropped_layer2_octet_delta_count + type: long + - name: reverse_dropped_layer2_octet_total_count + type: long + - name: reverse_dropped_octet_delta_count + type: long + - name: reverse_dropped_octet_total_count + type: long + - name: reverse_dropped_packet_delta_count + type: long + - name: reverse_dropped_packet_total_count + type: long + - name: reverse_dst_traffic_index + type: long + - name: reverse_egress_broadcast_packet_total_count + type: long + - name: reverse_egress_interface + type: long + - name: reverse_egress_interface_type + type: long + - name: reverse_egress_physical_interface + type: long + - name: reverse_egress_unicast_packet_total_count + type: long + - name: reverse_egress_vrfid + type: long + - name: reverse_encrypted_technology + type: keyword + - name: reverse_engine_id + type: short + - name: reverse_engine_type + type: short + - name: reverse_ethernet_header_length + type: short + - name: reverse_ethernet_payload_length + type: integer + - name: reverse_ethernet_total_length + type: integer + - name: reverse_ethernet_type + type: integer + - name: reverse_export_sctp_stream_id + type: integer + - name: reverse_exporter_certificate + type: keyword + - name: reverse_exporting_process_id + type: long + - name: reverse_firewall_event + type: short + - name: reverse_first_non_empty_packet_size + type: integer + - name: reverse_first_packet_banner + type: keyword + - name: reverse_flags_and_sampler_id + type: long + - name: reverse_flow_active_timeout + type: integer + - name: reverse_flow_attributes + type: integer + - name: reverse_flow_delta_milliseconds + type: long + - name: reverse_flow_direction + type: short + - name: reverse_flow_duration_microseconds + type: long + - name: reverse_flow_duration_milliseconds + type: long + - name: reverse_flow_end_delta_microseconds + type: long + - name: reverse_flow_end_microseconds + type: long + - name: reverse_flow_end_milliseconds + type: long + - name: reverse_flow_end_nanoseconds + type: long + - name: reverse_flow_end_reason + type: short + - name: reverse_flow_end_seconds + type: long + - name: reverse_flow_end_sys_up_time + type: long + - name: reverse_flow_idle_timeout + type: integer + - name: reverse_flow_label_ipv6 + type: long + - name: reverse_flow_sampling_time_interval + type: long + - name: reverse_flow_sampling_time_spacing + type: long + - name: reverse_flow_selected_flow_delta_count + type: long + - name: reverse_flow_selected_octet_delta_count + type: long + - name: reverse_flow_selected_packet_delta_count + type: long + - name: reverse_flow_selector_algorithm + type: integer + - name: reverse_flow_start_delta_microseconds + type: long + - name: reverse_flow_start_microseconds + type: long + - name: reverse_flow_start_milliseconds + type: long + - name: reverse_flow_start_nanoseconds + type: long + - name: reverse_flow_start_seconds + type: long + - name: reverse_flow_start_sys_up_time + type: long + - name: reverse_forwarding_status + type: long + - name: reverse_fragment_flags + type: short + - name: reverse_fragment_identification + type: long + - name: reverse_fragment_offset + type: integer + - name: reverse_gre_key + type: long + - name: reverse_hash_digest_output + type: short + - name: reverse_hash_flow_domain + type: integer + - name: reverse_hash_initialiser_value + type: long + - name: reverse_hash_ip_payload_offset + type: long + - name: reverse_hash_ip_payload_size + type: long + - name: reverse_hash_output_range_max + type: long + - name: reverse_hash_output_range_min + type: long + - name: reverse_hash_selected_range_max + type: long + - name: reverse_hash_selected_range_min + type: long + - name: reverse_icmp_code_ipv4 + type: short + - name: reverse_icmp_code_ipv6 + type: short + - name: reverse_icmp_type_code_ipv4 + type: integer + - name: reverse_icmp_type_code_ipv6 + type: integer + - name: reverse_icmp_type_ipv4 + type: short + - name: reverse_icmp_type_ipv6 + type: short + - name: reverse_igmp_type + type: short + - name: reverse_ignored_data_record_total_count + type: long + - name: reverse_ignored_layer2_frame_total_count + type: long + - name: reverse_ignored_layer2_octet_total_count + type: long + - name: reverse_information_element_data_type + type: short + - name: reverse_information_element_description + type: keyword + - name: reverse_information_element_id + type: integer + - name: reverse_information_element_index + type: integer + - name: reverse_information_element_name + type: keyword + - name: reverse_information_element_range_begin + type: long + - name: reverse_information_element_range_end + type: long + - name: reverse_information_element_semantics + type: short + - name: reverse_information_element_units + type: integer + - name: reverse_ingress_broadcast_packet_total_count + type: long + - name: reverse_ingress_interface + type: long + - name: reverse_ingress_interface_type + type: long + - name: reverse_ingress_multicast_packet_total_count + type: long + - name: reverse_ingress_physical_interface + type: long + - name: reverse_ingress_unicast_packet_total_count + type: long + - name: reverse_ingress_vrfid + type: long + - name: reverse_initial_tcp_flags + type: short + - name: reverse_initiator_octets + type: long + - name: reverse_initiator_packets + type: long + - name: reverse_interface_description + type: keyword + - name: reverse_interface_name + type: keyword + - name: reverse_intermediate_process_id + type: long + - name: reverse_ip_class_of_service + type: short + - name: reverse_ip_diff_serv_code_point + type: short + - name: reverse_ip_header_length + type: short + - name: reverse_ip_header_packet_section + type: keyword + - name: reverse_ip_next_hop_ipv4_address + type: ip + - name: reverse_ip_next_hop_ipv6_address + type: ip + - name: reverse_ip_payload_length + type: long + - name: reverse_ip_payload_packet_section + type: keyword + - name: reverse_ip_precedence + type: short + - name: reverse_ip_sec_spi + type: long + - name: reverse_ip_total_length + type: long + - name: reverse_ip_ttl + type: short + - name: reverse_ip_version + type: short + - name: reverse_ipv4_ihl + type: short + - name: reverse_ipv4_options + type: long + - name: reverse_ipv4_router_sc + type: ip + - name: reverse_ipv6_extension_headers + type: long + - name: reverse_is_multicast + type: short + - name: reverse_large_packet_count + type: long + - name: reverse_layer2_frame_delta_count + type: long + - name: reverse_layer2_frame_total_count + type: long + - name: reverse_layer2_octet_delta_count + type: long + - name: reverse_layer2_octet_delta_sum_of_squares + type: long + - name: reverse_layer2_octet_total_count + type: long + - name: reverse_layer2_octet_total_sum_of_squares + type: long + - name: reverse_layer2_segment_id + type: long + - name: reverse_layer2packet_section_data + type: keyword + - name: reverse_layer2packet_section_offset + type: integer + - name: reverse_layer2packet_section_size + type: integer + - name: reverse_line_card_id + type: long + - name: reverse_lower_ci_limit + type: double + - name: reverse_max_export_seconds + type: long + - name: reverse_max_flow_end_microseconds + type: long + - name: reverse_max_flow_end_milliseconds + type: long + - name: reverse_max_flow_end_nanoseconds + type: long + - name: reverse_max_flow_end_seconds + type: long + - name: reverse_max_packet_size + type: integer + - name: reverse_maximum_ip_total_length + type: long + - name: reverse_maximum_layer2_total_length + type: long + - name: reverse_maximum_ttl + type: short + - name: reverse_message_md5_checksum + type: keyword + - name: reverse_message_scope + type: short + - name: reverse_metering_process_id + type: long + - name: reverse_metro_evc_id + type: keyword + - name: reverse_metro_evc_type + type: short + - name: reverse_min_export_seconds + type: long + - name: reverse_min_flow_start_microseconds + type: long + - name: reverse_min_flow_start_milliseconds + type: long + - name: reverse_min_flow_start_nanoseconds + type: long + - name: reverse_min_flow_start_seconds + type: long + - name: reverse_minimum_ip_total_length + type: long + - name: reverse_minimum_layer2_total_length + type: long + - name: reverse_minimum_ttl + type: short + - name: reverse_monitoring_interval_end_milli_seconds + type: long + - name: reverse_monitoring_interval_start_milli_seconds + type: long + - name: reverse_mpls_label_stack_depth + type: long + - name: reverse_mpls_label_stack_length + type: long + - name: reverse_mpls_label_stack_section + type: keyword + - name: reverse_mpls_label_stack_section10 + type: keyword + - name: reverse_mpls_label_stack_section2 + type: keyword + - name: reverse_mpls_label_stack_section3 + type: keyword + - name: reverse_mpls_label_stack_section4 + type: keyword + - name: reverse_mpls_label_stack_section5 + type: keyword + - name: reverse_mpls_label_stack_section6 + type: keyword + - name: reverse_mpls_label_stack_section7 + type: keyword + - name: reverse_mpls_label_stack_section8 + type: keyword + - name: reverse_mpls_label_stack_section9 + type: keyword + - name: reverse_mpls_payload_length + type: long + - name: reverse_mpls_payload_packet_section + type: keyword + - name: reverse_mpls_top_label_exp + type: short + - name: reverse_mpls_top_label_ipv4_address + type: ip + - name: reverse_mpls_top_label_ipv6_address + type: ip + - name: reverse_mpls_top_label_prefix_length + type: short + - name: reverse_mpls_top_label_stack_section + type: keyword + - name: reverse_mpls_top_label_ttl + type: short + - name: reverse_mpls_top_label_type + type: short + - name: reverse_mpls_vpn_route_distinguisher + type: keyword + - name: reverse_multicast_replication_factor + type: long + - name: reverse_nat_event + type: short + - name: reverse_nat_originating_address_realm + type: short + - name: reverse_nat_pool_id + type: long + - name: reverse_nat_pool_name + type: keyword + - name: reverse_nat_type + type: short + - name: reverse_new_connection_delta_count + type: long + - name: reverse_next_header_ipv6 + type: short + - name: reverse_non_empty_packet_count + type: long + - name: reverse_not_sent_layer2_octet_total_count + type: long + - name: reverse_observation_domain_name + type: keyword + - name: reverse_observation_point_id + type: long + - name: reverse_observation_point_type + type: short + - name: reverse_observation_time_microseconds + type: long + - name: reverse_observation_time_milliseconds + type: long + - name: reverse_observation_time_nanoseconds + type: long + - name: reverse_observation_time_seconds + type: long + - name: reverse_octet_delta_count + type: long + - name: reverse_octet_delta_sum_of_squares + type: long + - name: reverse_octet_total_count + type: long + - name: reverse_octet_total_sum_of_squares + type: long + - name: reverse_opaque_octets + type: keyword + - name: reverse_original_exporter_ipv4_address + type: ip + - name: reverse_original_exporter_ipv6_address + type: ip + - name: reverse_original_flows_completed + type: long + - name: reverse_original_flows_initiated + type: long + - name: reverse_original_flows_present + type: long + - name: reverse_original_observation_domain_id + type: long + - name: reverse_os_finger_print + type: keyword + - name: reverse_os_name + type: keyword + - name: reverse_os_version + type: keyword + - name: reverse_p2p_technology + type: keyword + - name: reverse_packet_delta_count + type: long + - name: reverse_packet_total_count + type: long + - name: reverse_payload + type: keyword + - name: reverse_payload_entropy + type: short + - name: reverse_payload_length_ipv6 + type: integer + - name: reverse_port_id + type: long + - name: reverse_port_range_end + type: integer + - name: reverse_port_range_num_ports + type: integer + - name: reverse_port_range_start + type: integer + - name: reverse_port_range_step_size + type: integer + - name: reverse_post_destination_mac_address + type: keyword + - name: reverse_post_dot1q_customer_vlan_id + type: integer + - name: reverse_post_dot1q_vlan_id + type: integer + - name: reverse_post_ip_class_of_service + type: short + - name: reverse_post_ip_diff_serv_code_point + type: short + - name: reverse_post_ip_precedence + type: short + - name: reverse_post_layer2_octet_delta_count + type: long + - name: reverse_post_layer2_octet_total_count + type: long + - name: reverse_post_mcast_layer2_octet_delta_count + type: long + - name: reverse_post_mcast_layer2_octet_total_count + type: long + - name: reverse_post_mcast_octet_delta_count + type: long + - name: reverse_post_mcast_octet_total_count + type: long + - name: reverse_post_mcast_packet_delta_count + type: long + - name: reverse_post_mcast_packet_total_count + type: long + - name: reverse_post_mpls_top_label_exp + type: short + - name: reverse_post_napt_destination_transport_port + type: integer + - name: reverse_post_napt_source_transport_port + type: integer + - name: reverse_post_nat_destination_ipv4_address + type: ip + - name: reverse_post_nat_destination_ipv6_address + type: ip + - name: reverse_post_nat_source_ipv4_address + type: ip + - name: reverse_post_nat_source_ipv6_address + type: ip + - name: reverse_post_octet_delta_count + type: long + - name: reverse_post_octet_total_count + type: long + - name: reverse_post_packet_delta_count + type: long + - name: reverse_post_packet_total_count + type: long + - name: reverse_post_source_mac_address + type: keyword + - name: reverse_post_vlan_id + type: integer + - name: reverse_private_enterprise_number + type: long + - name: reverse_protocol_identifier + type: short + - name: reverse_pseudo_wire_control_word + type: long + - name: reverse_pseudo_wire_destination_ipv4_address + type: ip + - name: reverse_pseudo_wire_id + type: long + - name: reverse_pseudo_wire_type + type: integer + - name: reverse_relative_error + type: double + - name: reverse_responder_octets + type: long + - name: reverse_responder_packets + type: long + - name: reverse_rfc3550_jitter_microseconds + type: long + - name: reverse_rfc3550_jitter_milliseconds + type: long + - name: reverse_rfc3550_jitter_nanoseconds + type: long + - name: reverse_rtp_payload_type + type: short + - name: reverse_rtp_sequence_number + type: integer + - name: reverse_sampler_id + type: short + - name: reverse_sampler_mode + type: short + - name: reverse_sampler_name + type: keyword + - name: reverse_sampler_random_interval + type: long + - name: reverse_sampling_algorithm + type: short + - name: reverse_sampling_flow_interval + type: long + - name: reverse_sampling_flow_spacing + type: long + - name: reverse_sampling_interval + type: long + - name: reverse_sampling_packet_interval + type: long + - name: reverse_sampling_packet_space + type: long + - name: reverse_sampling_population + type: long + - name: reverse_sampling_probability + type: double + - name: reverse_sampling_size + type: long + - name: reverse_sampling_time_interval + type: long + - name: reverse_sampling_time_space + type: long + - name: reverse_second_packet_banner + type: keyword + - name: reverse_section_exported_octets + type: integer + - name: reverse_section_offset + type: integer + - name: reverse_selection_sequence_id + type: long + - name: reverse_selector_algorithm + type: integer + - name: reverse_selector_id + type: long + - name: reverse_selector_id_total_flows_observed + type: long + - name: reverse_selector_id_total_flows_selected + type: long + - name: reverse_selector_id_total_pkts_observed + type: long + - name: reverse_selector_id_total_pkts_selected + type: long + - name: reverse_selector_name + type: keyword + - name: reverse_session_scope + type: short + - name: reverse_small_packet_count + type: long + - name: reverse_source_ipv4_address + type: ip + - name: reverse_source_ipv4_prefix + type: ip + - name: reverse_source_ipv4_prefix_length + type: short + - name: reverse_source_ipv6_address + type: ip + - name: reverse_source_ipv6_prefix + type: ip + - name: reverse_source_ipv6_prefix_length + type: short + - name: reverse_source_mac_address + type: keyword + - name: reverse_source_transport_port + type: integer + - name: reverse_src_traffic_index + type: long + - name: reverse_sta_ipv4_address + type: ip + - name: reverse_sta_mac_address + type: keyword + - name: reverse_standard_deviation_interarrival_time + type: long + - name: reverse_standard_deviation_payload_length + type: integer + - name: reverse_system_init_time_milliseconds + type: long + - name: reverse_tcp_ack_total_count + type: long + - name: reverse_tcp_acknowledgement_number + type: long + - name: reverse_tcp_control_bits + type: integer + - name: reverse_tcp_destination_port + type: integer + - name: reverse_tcp_fin_total_count + type: long + - name: reverse_tcp_header_length + type: short + - name: reverse_tcp_options + type: long + - name: reverse_tcp_psh_total_count + type: long + - name: reverse_tcp_rst_total_count + type: long + - name: reverse_tcp_sequence_number + type: long + - name: reverse_tcp_source_port + type: integer + - name: reverse_tcp_syn_total_count + type: long + - name: reverse_tcp_urg_total_count + type: long + - name: reverse_tcp_urgent_pointer + type: integer + - name: reverse_tcp_window_scale + type: integer + - name: reverse_tcp_window_size + type: integer + - name: reverse_total_length_ipv4 + type: integer + - name: reverse_transport_octet_delta_count + type: long + - name: reverse_transport_packet_delta_count + type: long + - name: reverse_tunnel_technology + type: keyword + - name: reverse_udp_destination_port + type: integer + - name: reverse_udp_message_length + type: integer + - name: reverse_udp_source_port + type: integer + - name: reverse_union_tcp_flags + type: short + - name: reverse_upper_ci_limit + type: double + - name: reverse_user_name + type: keyword + - name: reverse_value_distribution_method + type: short + - name: reverse_virtual_station_interface_id + type: keyword + - name: reverse_virtual_station_interface_name + type: keyword + - name: reverse_virtual_station_name + type: keyword + - name: reverse_virtual_station_uuid + type: keyword + - name: reverse_vlan_id + type: integer + - name: reverse_vr_fname + type: keyword + - name: reverse_wlan_channel_id + type: short + - name: reverse_wlan_ssid + type: keyword + - name: reverse_wtp_mac_address + type: keyword + - name: rfc3550_jitter_microseconds + type: long + - name: rfc3550_jitter_milliseconds + type: long + - name: rfc3550_jitter_nanoseconds + type: long + - name: rtp_payload_type + type: short + - name: rtp_sequence_number + type: integer + - name: sampler_id + type: short + - name: sampler_mode + type: short + - name: sampler_name + type: keyword + - name: sampler_random_interval + type: long + - name: sampling_algorithm + type: short + - name: sampling_flow_interval + type: long + - name: sampling_flow_spacing + type: long + - name: sampling_interval + type: long + - name: sampling_packet_interval + type: long + - name: sampling_packet_space + type: long + - name: sampling_population + type: long + - name: sampling_probability + type: double + - name: sampling_size + type: long + - name: sampling_time_interval + type: long + - name: sampling_time_space + type: long + - name: second_packet_banner + type: keyword + - name: section_exported_octets + type: integer + - name: section_offset + type: integer + - name: selection_sequence_id + type: long + - name: selector_algorithm + type: integer + - name: selector_id + type: long + - name: selector_id_total_flows_observed + type: long + - name: selector_id_total_flows_selected + type: long + - name: selector_id_total_pkts_observed + type: long + - name: selector_id_total_pkts_selected + type: long + - name: selector_name + type: keyword + - name: service_name + type: keyword + - name: session_scope + type: short + - name: silk_app_label + type: integer + - name: small_packet_count + type: long + - name: source_ipv4_address + type: ip + - name: source_ipv4_prefix + type: ip + - name: source_ipv4_prefix_length + type: short + - name: source_ipv6_address + type: ip + - name: source_ipv6_prefix + type: ip + - name: source_ipv6_prefix_length + type: short + - name: source_mac_address + type: keyword + - name: source_transport_port + type: integer + - name: source_transport_ports_limit + type: integer + - name: src_traffic_index + type: long + - name: ssl_cert_serial_number + type: keyword + - name: ssl_cert_signature + type: keyword + - name: ssl_cert_validity_not_after + type: keyword + - name: ssl_cert_validity_not_before + type: keyword + - name: ssl_cert_version + type: short + - name: ssl_certificate_hash + type: keyword + - name: ssl_cipher + type: keyword + - name: ssl_client_version + type: short + - name: ssl_compression_method + type: short + - name: ssl_object_type + type: keyword + - name: ssl_object_value + type: keyword + - name: ssl_public_key_algorithm + type: keyword + - name: ssl_public_key_length + type: keyword + - name: ssl_server_cipher + type: long + - name: ssl_server_name + type: keyword + - name: sta_ipv4_address + type: ip + - name: sta_mac_address + type: keyword + - name: standard_deviation_interarrival_time + type: long + - name: standard_deviation_payload_length + type: short + - name: system_init_time_milliseconds + type: date + - name: tcp_ack_total_count + type: long + - name: tcp_acknowledgement_number + type: long + - name: tcp_control_bits + type: integer + - name: tcp_destination_port + type: integer + - name: tcp_fin_total_count + type: long + - name: tcp_header_length + type: short + - name: tcp_options + type: long + - name: tcp_psh_total_count + type: long + - name: tcp_rst_total_count + type: long + - name: tcp_sequence_number + type: long + - name: tcp_source_port + type: integer + - name: tcp_syn_total_count + type: long + - name: tcp_urg_total_count + type: long + - name: tcp_urgent_pointer + type: integer + - name: tcp_window_scale + type: integer + - name: tcp_window_size + type: integer + - name: template_id + type: integer + - name: tftp_filename + type: keyword + - name: tftp_mode + type: keyword + - name: timestamp + type: long + - name: timestamp_absolute_monitoring-interval + type: long + - name: total_length_ipv4 + type: integer + - name: traffic_type + type: short + - name: transport_octet_delta_count + type: long + - name: transport_packet_delta_count + type: long + - name: tunnel_technology + type: keyword + - name: udp_destination_port + type: integer + - name: udp_message_length + type: integer + - name: udp_source_port + type: integer + - name: union_tcp_flags + type: short + - name: upper_ci_limit + type: double + - name: user_name + type: keyword + - name: username + type: keyword + - name: value_distribution_method + type: short + - name: viptela_vpn_id + type: long + - name: virtual_station_interface_id + type: short + - name: virtual_station_interface_name + type: keyword + - name: virtual_station_name + type: keyword + - name: virtual_station_uuid + type: short + - name: vlan_id + type: integer + - name: vmware_egress_interface_attr + type: integer + - name: vmware_ingress_interface_attr + type: integer + - name: vmware_tenant_dest_ipv4 + type: ip + - name: vmware_tenant_dest_ipv6 + type: ip + - name: vmware_tenant_dest_port + type: integer + - name: vmware_tenant_protocol + type: short + - name: vmware_tenant_source_ipv4 + type: ip + - name: vmware_tenant_source_ipv6 + type: ip + - name: vmware_tenant_source_port + type: integer + - name: vmware_vxlan_export_role + type: short + - name: vpn_identifier + type: short + - name: vr_fname + type: keyword + - name: waasoptimization_segment + type: short + - name: wlan_channel_id + type: short + - name: wlan_ssid + type: keyword + - name: wtp_mac_address + type: keyword + - name: xlate_destination_address_ip_v4 + type: ip + - name: xlate_destination_port + type: integer + - name: xlate_source_address_ip_v4 + type: ip + - name: xlate_source_port + type: integer diff --git a/packages/netflow/2.0.1/data_stream/log/manifest.yml b/packages/netflow/2.0.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..bf706ae5c5 --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/manifest.yml @@ -0,0 +1,80 @@ +title: NetFlow logs +type: logs +streams: + - input: netflow + template_path: netflow.yml.hbs + title: Collect NetFlow logs + description: Collect NetFlow logs using the netflow input + vars: + - name: host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 2055 + - name: expiration_timeout + type: text + title: Time duration before an idle session or unused template is expired + multi: false + required: true + show_user: false + default: 30m + - name: queue_size + type: integer + title: Maximum number of packets that can be queued for processing + multi: false + required: true + show_user: false + default: 8192 + - name: custom_definitions + type: text + title: Custom definitions + multi: true + required: false + show_user: false + default: "" + - name: detect_sequence_reset + type: bool + title: Whether to detect sequence reset + multi: false + required: true + show_user: false + default: true + - name: max_message_size + type: text + title: Maximum size of the message received over UDP + multi: false + required: true + show_user: false + default: 10KiB + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + default: + - netflow + - forwarded + - name: timeout + type: text + title: Read timeout for socket operations + multi: false + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netflow/2.0.1/data_stream/log/sample_event.json b/packages/netflow/2.0.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..458d2a07f8 --- /dev/null +++ b/packages/netflow/2.0.1/data_stream/log/sample_event.json @@ -0,0 +1,121 @@ +{ + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "499040e3-2739-4333-bc0a-714aceaaa76b", + "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "client": { + "bytes": 719, + "packets": 5 + }, + "data_stream": { + "dataset": "netflow.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "netflow_flow", + "agent_id_status": "verified", + "category": [ + "network", + "session" + ], + "created": "2022-05-12T09:08:00.955Z", + "dataset": "netflow.log", + "ingested": "2022-05-12T09:08:01Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "192.168.208.4:56750", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184158, + "flow_start_sys_up_time": 564184140, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 719, + "initiator_packets": 5, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 719, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 5, + "transport": "tcp" + }, + "observer": { + "ip": "192.168.208.4" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 719, + "packets": 5 + }, + "tags": [ + "netflow", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/docs/README.md b/packages/netflow/2.0.1/docs/README.md new file mode 100755 index 0000000000..5762481369 --- /dev/null +++ b/packages/netflow/2.0.1/docs/README.md @@ -0,0 +1,1783 @@ +# Netflow Integration + +This integration is for receiving NetFlow and IPFIX flow records over UDP. It +supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow +versions older than 9, fields are mapped automatically to NetFlow v9. + +It includes the following dataset: + +- `log` dataset + +## Compatibility + +## Logs + +### log + +The `log` dataset collects netflow logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| as.organization.name | Organization name. | keyword | +| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | +| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | +| client.packets | Packets sent from the client to the server. | long | +| client.port | Port of the client. | long | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.email | User email address. | keyword | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| client.user.group.name | Name of the group. | keyword | +| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.locality | Whether the destination IP is private or public. | keyword | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.email | User email address. | keyword | +| destination.user.full_name | User's full name, if available. | keyword | +| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | +| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| destination.user.group.name | Name of the group. | keyword | +| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | +| error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | +| file.created | File creation time. Note that not all filesystems store the creation time. | date | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.device | Device that is the source of the file. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| flow.id | Hash of source and destination IPs. | keyword | +| flow.locality | Identifies whether the flow involved public IP addresses or only private address. | keyword | +| geo.city_name | City name. | keyword | +| geo.continent_name | Name of the continent. | keyword | +| geo.country_iso_code | Country ISO code. | keyword | +| geo.country_name | Country name. | keyword | +| geo.location | Longitude and latitude. | geo_point | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_iso_code | Region ISO code. | keyword | +| geo.region_name | Region name. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| hash.md5 | MD5 hash. | keyword | +| hash.sha1 | SHA1 hash. | keyword | +| hash.sha256 | SHA256 hash. | keyword | +| hash.sha512 | SHA512 hash. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.body.content | The full HTTP request body. | wildcard | +| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.body.content | The full HTTP response body. | wildcard | +| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Type of Filebeat input. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.origin.file.line | The line number of the file containing the source code which originated the log event. | long | +| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | +| log.origin.function | The name of the function or method which originated the log event. | keyword | +| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| netflow.absolute_error | | double | +| netflow.address_pool_high_threshold | | long | +| netflow.address_pool_low_threshold | | long | +| netflow.address_port_mapping_high_threshold | | long | +| netflow.address_port_mapping_low_threshold | | long | +| netflow.address_port_mapping_per_user_high_threshold | | long | +| netflow.afc_protocol | | integer | +| netflow.afc_protocol_name | | keyword | +| netflow.anonymization_flags | | integer | +| netflow.anonymization_technique | | integer | +| netflow.application_business-relevance | | long | +| netflow.application_category_name | | keyword | +| netflow.application_description | | keyword | +| netflow.application_group_name | | keyword | +| netflow.application_http_uri_statistics | | short | +| netflow.application_http_user-agent | | short | +| netflow.application_id | | short | +| netflow.application_name | | keyword | +| netflow.application_sub_category_name | | keyword | +| netflow.application_traffic-class | | long | +| netflow.art_client_network_time_maximum | | long | +| netflow.art_client_network_time_minimum | | long | +| netflow.art_client_network_time_sum | | long | +| netflow.art_clientpackets | | long | +| netflow.art_count_late_responses | | long | +| netflow.art_count_new_connections | | long | +| netflow.art_count_responses | | long | +| netflow.art_count_responses_histogram_bucket1 | | long | +| netflow.art_count_responses_histogram_bucket2 | | long | +| netflow.art_count_responses_histogram_bucket3 | | long | +| netflow.art_count_responses_histogram_bucket4 | | long | +| netflow.art_count_responses_histogram_bucket5 | | long | +| netflow.art_count_responses_histogram_bucket6 | | long | +| netflow.art_count_responses_histogram_bucket7 | | long | +| netflow.art_count_retransmissions | | long | +| netflow.art_count_transactions | | long | +| netflow.art_network_time_maximum | | long | +| netflow.art_network_time_minimum | | long | +| netflow.art_network_time_sum | | long | +| netflow.art_response_time_maximum | | long | +| netflow.art_response_time_minimum | | long | +| netflow.art_response_time_sum | | long | +| netflow.art_server_network_time_maximum | | long | +| netflow.art_server_network_time_minimum | | long | +| netflow.art_server_network_time_sum | | long | +| netflow.art_server_response_time_maximum | | long | +| netflow.art_server_response_time_minimum | | long | +| netflow.art_server_response_time_sum | | long | +| netflow.art_serverpackets | | long | +| netflow.art_total_response_time_maximum | | long | +| netflow.art_total_response_time_minimum | | long | +| netflow.art_total_response_time_sum | | long | +| netflow.art_total_transaction_time_maximum | | long | +| netflow.art_total_transaction_time_minimum | | long | +| netflow.art_total_transaction_time_sum | | long | +| netflow.assembled_fragment_count | | long | +| netflow.audit_counter | | long | +| netflow.average_interarrival_time | | long | +| netflow.bgp_destination_as_number | | long | +| netflow.bgp_next_adjacent_as_number | | long | +| netflow.bgp_next_hop_ipv4_address | | ip | +| netflow.bgp_next_hop_ipv6_address | | ip | +| netflow.bgp_prev_adjacent_as_number | | long | +| netflow.bgp_source_as_number | | long | +| netflow.bgp_validity_state | | short | +| netflow.biflow_direction | | short | +| netflow.bind_ipv4_address | | ip | +| netflow.bind_transport_port | | integer | +| netflow.class_id | | long | +| netflow.class_name | | keyword | +| netflow.classification_engine_id | | short | +| netflow.collection_time_milliseconds | | date | +| netflow.collector_certificate | | short | +| netflow.collector_ipv4_address | | ip | +| netflow.collector_ipv6_address | | ip | +| netflow.collector_transport_port | | integer | +| netflow.common_properties_id | | long | +| netflow.confidence_level | | double | +| netflow.conn_ipv4_address | | ip | +| netflow.conn_transport_port | | integer | +| netflow.connection_sum_duration_seconds | | long | +| netflow.connection_transaction_id | | long | +| netflow.conntrack_id | | long | +| netflow.data_byte_count | | long | +| netflow.data_link_frame_section | | short | +| netflow.data_link_frame_size | | integer | +| netflow.data_link_frame_type | | integer | +| netflow.data_records_reliability | | boolean | +| netflow.delta_flow_count | | long | +| netflow.destination_ipv4_address | | ip | +| netflow.destination_ipv4_prefix | | ip | +| netflow.destination_ipv4_prefix_length | | short | +| netflow.destination_ipv6_address | | ip | +| netflow.destination_ipv6_prefix | | ip | +| netflow.destination_ipv6_prefix_length | | short | +| netflow.destination_mac_address | | keyword | +| netflow.destination_transport_port | | integer | +| netflow.digest_hash_value | | long | +| netflow.distinct_count_of_destination_ip_address | | long | +| netflow.distinct_count_of_destination_ipv4_address | | long | +| netflow.distinct_count_of_destination_ipv6_address | | long | +| netflow.distinct_count_of_source_ip_address | | long | +| netflow.distinct_count_of_source_ipv4_address | | long | +| netflow.distinct_count_of_source_ipv6_address | | long | +| netflow.dns_authoritative | | short | +| netflow.dns_cname | | keyword | +| netflow.dns_id | | integer | +| netflow.dns_mx_exchange | | keyword | +| netflow.dns_mx_preference | | integer | +| netflow.dns_nsd_name | | keyword | +| netflow.dns_nx_domain | | short | +| netflow.dns_ptrd_name | | keyword | +| netflow.dns_qname | | keyword | +| netflow.dns_qr_type | | integer | +| netflow.dns_query_response | | short | +| netflow.dns_rr_section | | short | +| netflow.dns_soa_expire | | long | +| netflow.dns_soa_minimum | | long | +| netflow.dns_soa_refresh | | long | +| netflow.dns_soa_retry | | long | +| netflow.dns_soa_serial | | long | +| netflow.dns_soam_name | | keyword | +| netflow.dns_soar_name | | keyword | +| netflow.dns_srv_port | | integer | +| netflow.dns_srv_priority | | integer | +| netflow.dns_srv_target | | integer | +| netflow.dns_srv_weight | | integer | +| netflow.dns_ttl | | long | +| netflow.dns_txt_data | | keyword | +| netflow.dot1q_customer_dei | | boolean | +| netflow.dot1q_customer_destination_mac_address | | keyword | +| netflow.dot1q_customer_priority | | short | +| netflow.dot1q_customer_source_mac_address | | keyword | +| netflow.dot1q_customer_vlan_id | | integer | +| netflow.dot1q_dei | | boolean | +| netflow.dot1q_priority | | short | +| netflow.dot1q_service_instance_id | | long | +| netflow.dot1q_service_instance_priority | | short | +| netflow.dot1q_service_instance_tag | | short | +| netflow.dot1q_vlan_id | | integer | +| netflow.dropped_layer2_octet_delta_count | | long | +| netflow.dropped_layer2_octet_total_count | | long | +| netflow.dropped_octet_delta_count | | long | +| netflow.dropped_octet_total_count | | long | +| netflow.dropped_packet_delta_count | | long | +| netflow.dropped_packet_total_count | | long | +| netflow.dst_traffic_index | | long | +| netflow.egress_broadcast_packet_total_count | | long | +| netflow.egress_interface | | long | +| netflow.egress_interface_type | | long | +| netflow.egress_physical_interface | | long | +| netflow.egress_unicast_packet_total_count | | long | +| netflow.egress_vrfid | | long | +| netflow.encrypted_technology | | keyword | +| netflow.engine_id | | short | +| netflow.engine_type | | short | +| netflow.ethernet_header_length | | short | +| netflow.ethernet_payload_length | | integer | +| netflow.ethernet_total_length | | integer | +| netflow.ethernet_type | | integer | +| netflow.expired_fragment_count | | long | +| netflow.export_interface | | long | +| netflow.export_protocol_version | | short | +| netflow.export_sctp_stream_id | | integer | +| netflow.export_transport_protocol | | short | +| netflow.exported_flow_record_total_count | | long | +| netflow.exported_message_total_count | | long | +| netflow.exported_octet_total_count | | long | +| netflow.exporter.address | Exporter's network address in IP:port format. | keyword | +| netflow.exporter.source_id | Observation domain ID to which this record belongs. | long | +| netflow.exporter.timestamp | Time and date of export. | date | +| netflow.exporter.uptime_millis | How long the exporter process has been running, in milliseconds. | long | +| netflow.exporter.version | NetFlow version used. | integer | +| netflow.exporter_certificate | | short | +| netflow.exporter_ipv4_address | | ip | +| netflow.exporter_ipv6_address | | ip | +| netflow.exporter_transport_port | | integer | +| netflow.exporting_process_id | | long | +| netflow.external_address_realm | | short | +| netflow.firewall_event | | short | +| netflow.first_eight_non_empty_packet_directions | | short | +| netflow.first_non_empty_packet_size | | integer | +| netflow.first_packet_banner | | keyword | +| netflow.flags_and_sampler_id | | long | +| netflow.flow_active_timeout | | integer | +| netflow.flow_attributes | | integer | +| netflow.flow_direction | | short | +| netflow.flow_duration_microseconds | | long | +| netflow.flow_duration_milliseconds | | long | +| netflow.flow_end_delta_microseconds | | long | +| netflow.flow_end_microseconds | | date | +| netflow.flow_end_milliseconds | | date | +| netflow.flow_end_nanoseconds | | date | +| netflow.flow_end_reason | | short | +| netflow.flow_end_seconds | | date | +| netflow.flow_end_sys_up_time | | long | +| netflow.flow_id | | long | +| netflow.flow_idle_timeout | | integer | +| netflow.flow_key_indicator | | long | +| netflow.flow_label_ipv6 | | long | +| netflow.flow_sampling_time_interval | | long | +| netflow.flow_sampling_time_spacing | | long | +| netflow.flow_selected_flow_delta_count | | long | +| netflow.flow_selected_octet_delta_count | | long | +| netflow.flow_selected_packet_delta_count | | long | +| netflow.flow_selector_algorithm | | integer | +| netflow.flow_start_delta_microseconds | | long | +| netflow.flow_start_microseconds | | date | +| netflow.flow_start_milliseconds | | date | +| netflow.flow_start_nanoseconds | | date | +| netflow.flow_start_seconds | | date | +| netflow.flow_start_sys_up_time | | long | +| netflow.flow_table_flush_event_count | | long | +| netflow.flow_table_peak_count | | long | +| netflow.forwarding_status | | short | +| netflow.fragment_flags | | short | +| netflow.fragment_identification | | long | +| netflow.fragment_offset | | integer | +| netflow.fw_blackout_secs | | long | +| netflow.fw_configured_value | | long | +| netflow.fw_cts_src_sgt | | long | +| netflow.fw_event_level | | long | +| netflow.fw_event_level_id | | long | +| netflow.fw_ext_event | | integer | +| netflow.fw_ext_event_alt | | long | +| netflow.fw_ext_event_desc | | keyword | +| netflow.fw_half_open_count | | long | +| netflow.fw_half_open_high | | long | +| netflow.fw_half_open_rate | | long | +| netflow.fw_max_sessions | | long | +| netflow.fw_rule | | keyword | +| netflow.fw_summary_pkt_count | | long | +| netflow.fw_zone_pair_id | | long | +| netflow.fw_zone_pair_name | | long | +| netflow.global_address_mapping_high_threshold | | long | +| netflow.gre_key | | long | +| netflow.hash_digest_output | | boolean | +| netflow.hash_flow_domain | | integer | +| netflow.hash_initialiser_value | | long | +| netflow.hash_ip_payload_offset | | long | +| netflow.hash_ip_payload_size | | long | +| netflow.hash_output_range_max | | long | +| netflow.hash_output_range_min | | long | +| netflow.hash_selected_range_max | | long | +| netflow.hash_selected_range_min | | long | +| netflow.http_content_type | | keyword | +| netflow.http_message_version | | keyword | +| netflow.http_reason_phrase | | keyword | +| netflow.http_request_host | | keyword | +| netflow.http_request_method | | keyword | +| netflow.http_request_target | | keyword | +| netflow.http_status_code | | integer | +| netflow.http_user_agent | | keyword | +| netflow.icmp_code_ipv4 | | short | +| netflow.icmp_code_ipv6 | | short | +| netflow.icmp_type_code_ipv4 | | integer | +| netflow.icmp_type_code_ipv6 | | integer | +| netflow.icmp_type_ipv4 | | short | +| netflow.icmp_type_ipv6 | | short | +| netflow.igmp_type | | short | +| netflow.ignored_data_record_total_count | | long | +| netflow.ignored_layer2_frame_total_count | | long | +| netflow.ignored_layer2_octet_total_count | | long | +| netflow.ignored_octet_total_count | | long | +| netflow.ignored_packet_total_count | | long | +| netflow.information_element_data_type | | short | +| netflow.information_element_description | | keyword | +| netflow.information_element_id | | integer | +| netflow.information_element_index | | integer | +| netflow.information_element_name | | keyword | +| netflow.information_element_range_begin | | long | +| netflow.information_element_range_end | | long | +| netflow.information_element_semantics | | short | +| netflow.information_element_units | | integer | +| netflow.ingress_broadcast_packet_total_count | | long | +| netflow.ingress_interface | | long | +| netflow.ingress_interface_type | | long | +| netflow.ingress_multicast_packet_total_count | | long | +| netflow.ingress_physical_interface | | long | +| netflow.ingress_unicast_packet_total_count | | long | +| netflow.ingress_vrfid | | long | +| netflow.initial_tcp_flags | | short | +| netflow.initiator_octets | | long | +| netflow.initiator_packets | | long | +| netflow.interface_description | | keyword | +| netflow.interface_name | | keyword | +| netflow.intermediate_process_id | | long | +| netflow.internal_address_realm | | short | +| netflow.ip_class_of_service | | short | +| netflow.ip_diff_serv_code_point | | short | +| netflow.ip_header_length | | short | +| netflow.ip_header_packet_section | | short | +| netflow.ip_next_hop_ipv4_address | | ip | +| netflow.ip_next_hop_ipv6_address | | ip | +| netflow.ip_payload_length | | long | +| netflow.ip_payload_packet_section | | short | +| netflow.ip_precedence | | short | +| netflow.ip_sec_spi | | long | +| netflow.ip_total_length | | long | +| netflow.ip_ttl | | short | +| netflow.ip_version | | short | +| netflow.ipv4_ihl | | short | +| netflow.ipv4_options | | long | +| netflow.ipv4_router_sc | | ip | +| netflow.ipv6_extension_headers | | long | +| netflow.is_multicast | | short | +| netflow.ixia_browser_id | | short | +| netflow.ixia_browser_name | | keyword | +| netflow.ixia_device_id | | short | +| netflow.ixia_device_name | | keyword | +| netflow.ixia_dns_answer | | keyword | +| netflow.ixia_dns_classes | | keyword | +| netflow.ixia_dns_query | | keyword | +| netflow.ixia_dns_record_txt | | keyword | +| netflow.ixia_dst_as_name | | keyword | +| netflow.ixia_dst_city_name | | keyword | +| netflow.ixia_dst_country_code | | keyword | +| netflow.ixia_dst_country_name | | keyword | +| netflow.ixia_dst_latitude | | float | +| netflow.ixia_dst_longitude | | float | +| netflow.ixia_dst_region_code | | keyword | +| netflow.ixia_dst_region_node | | keyword | +| netflow.ixia_encrypt_cipher | | keyword | +| netflow.ixia_encrypt_key_length | | integer | +| netflow.ixia_encrypt_type | | keyword | +| netflow.ixia_http_host_name | | keyword | +| netflow.ixia_http_uri | | keyword | +| netflow.ixia_http_user_agent | | keyword | +| netflow.ixia_imsi_subscriber | | keyword | +| netflow.ixia_l7_app_id | | long | +| netflow.ixia_l7_app_name | | keyword | +| netflow.ixia_latency | | long | +| netflow.ixia_rev_octet_delta_count | | long | +| netflow.ixia_rev_packet_delta_count | | long | +| netflow.ixia_src_as_name | | keyword | +| netflow.ixia_src_city_name | | keyword | +| netflow.ixia_src_country_code | | keyword | +| netflow.ixia_src_country_name | | keyword | +| netflow.ixia_src_latitude | | float | +| netflow.ixia_src_longitude | | float | +| netflow.ixia_src_region_code | | keyword | +| netflow.ixia_src_region_name | | keyword | +| netflow.ixia_threat_ipv4 | | ip | +| netflow.ixia_threat_ipv6 | | ip | +| netflow.ixia_threat_type | | keyword | +| netflow.large_packet_count | | long | +| netflow.layer2_frame_delta_count | | long | +| netflow.layer2_frame_total_count | | long | +| netflow.layer2_octet_delta_count | | long | +| netflow.layer2_octet_delta_sum_of_squares | | long | +| netflow.layer2_octet_total_count | | long | +| netflow.layer2_octet_total_sum_of_squares | | long | +| netflow.layer2_segment_id | | long | +| netflow.layer2packet_section_data | | short | +| netflow.layer2packet_section_offset | | integer | +| netflow.layer2packet_section_size | | integer | +| netflow.line_card_id | | long | +| netflow.log_op | | short | +| netflow.lower_ci_limit | | double | +| netflow.mark | | long | +| netflow.max_bib_entries | | long | +| netflow.max_entries_per_user | | long | +| netflow.max_export_seconds | | date | +| netflow.max_flow_end_microseconds | | date | +| netflow.max_flow_end_milliseconds | | date | +| netflow.max_flow_end_nanoseconds | | date | +| netflow.max_flow_end_seconds | | date | +| netflow.max_fragments_pending_reassembly | | long | +| netflow.max_packet_size | | integer | +| netflow.max_session_entries | | long | +| netflow.max_subscribers | | long | +| netflow.maximum_ip_total_length | | long | +| netflow.maximum_layer2_total_length | | long | +| netflow.maximum_ttl | | short | +| netflow.mean_flow_rate | | long | +| netflow.mean_packet_rate | | long | +| netflow.message_md5_checksum | | short | +| netflow.message_scope | | short | +| netflow.metering_process_id | | long | +| netflow.metro_evc_id | | keyword | +| netflow.metro_evc_type | | short | +| netflow.mib_capture_time_semantics | | short | +| netflow.mib_context_engine_id | | short | +| netflow.mib_context_name | | keyword | +| netflow.mib_index_indicator | | long | +| netflow.mib_module_name | | keyword | +| netflow.mib_object_description | | keyword | +| netflow.mib_object_identifier | | short | +| netflow.mib_object_name | | keyword | +| netflow.mib_object_syntax | | keyword | +| netflow.mib_object_value_bits | | short | +| netflow.mib_object_value_counter | | long | +| netflow.mib_object_value_gauge | | long | +| netflow.mib_object_value_integer | | integer | +| netflow.mib_object_value_ip_address | | ip | +| netflow.mib_object_value_octet_string | | short | +| netflow.mib_object_value_oid | | short | +| netflow.mib_object_value_time_ticks | | long | +| netflow.mib_object_value_unsigned | | long | +| netflow.mib_sub_identifier | | long | +| netflow.min_export_seconds | | date | +| netflow.min_flow_start_microseconds | | date | +| netflow.min_flow_start_milliseconds | | date | +| netflow.min_flow_start_nanoseconds | | date | +| netflow.min_flow_start_seconds | | date | +| netflow.minimum_ip_total_length | | long | +| netflow.minimum_layer2_total_length | | long | +| netflow.minimum_ttl | | short | +| netflow.mobile_imsi | | keyword | +| netflow.mobile_msisdn | | keyword | +| netflow.monitoring_interval_end_milli_seconds | | date | +| netflow.monitoring_interval_start_milli_seconds | | date | +| netflow.mpls_label_stack_depth | | long | +| netflow.mpls_label_stack_length | | long | +| netflow.mpls_label_stack_section | | short | +| netflow.mpls_label_stack_section10 | | short | +| netflow.mpls_label_stack_section2 | | short | +| netflow.mpls_label_stack_section3 | | short | +| netflow.mpls_label_stack_section4 | | short | +| netflow.mpls_label_stack_section5 | | short | +| netflow.mpls_label_stack_section6 | | short | +| netflow.mpls_label_stack_section7 | | short | +| netflow.mpls_label_stack_section8 | | short | +| netflow.mpls_label_stack_section9 | | short | +| netflow.mpls_payload_length | | long | +| netflow.mpls_payload_packet_section | | short | +| netflow.mpls_top_label_exp | | short | +| netflow.mpls_top_label_ipv4_address | | ip | +| netflow.mpls_top_label_ipv6_address | | ip | +| netflow.mpls_top_label_prefix_length | | short | +| netflow.mpls_top_label_stack_section | | short | +| netflow.mpls_top_label_ttl | | short | +| netflow.mpls_top_label_type | | short | +| netflow.mpls_vpn_route_distinguisher | | short | +| netflow.mptcp_address_id | | short | +| netflow.mptcp_flags | | short | +| netflow.mptcp_initial_data_sequence_number | | long | +| netflow.mptcp_maximum_segment_size | | integer | +| netflow.mptcp_receiver_token | | long | +| netflow.multicast_replication_factor | | long | +| netflow.nat_event | | short | +| netflow.nat_inside_svcid | | integer | +| netflow.nat_instance_id | | long | +| netflow.nat_originating_address_realm | | short | +| netflow.nat_outside_svcid | | integer | +| netflow.nat_pool_id | | long | +| netflow.nat_pool_name | | keyword | +| netflow.nat_quota_exceeded_event | | long | +| netflow.nat_sub_string | | keyword | +| netflow.nat_threshold_event | | long | +| netflow.nat_type | | short | +| netflow.netscale_ica_client_version | | keyword | +| netflow.netscaler_aaa_username | | keyword | +| netflow.netscaler_app_name | | keyword | +| netflow.netscaler_app_name_app_id | | long | +| netflow.netscaler_app_name_incarnation_number | | long | +| netflow.netscaler_app_template_name | | keyword | +| netflow.netscaler_app_unit_name_app_id | | long | +| netflow.netscaler_application_startup_duration | | long | +| netflow.netscaler_application_startup_time | | long | +| netflow.netscaler_cache_redir_client_connection_core_id | | long | +| netflow.netscaler_cache_redir_client_connection_transaction_id | | long | +| netflow.netscaler_client_rtt | | long | +| netflow.netscaler_connection_chain_hop_count | | long | +| netflow.netscaler_connection_chain_id | | short | +| netflow.netscaler_connection_id | | long | +| netflow.netscaler_current_license_consumed | | long | +| netflow.netscaler_db_clt_host_name | | keyword | +| netflow.netscaler_db_database_name | | keyword | +| netflow.netscaler_db_login_flags | | long | +| netflow.netscaler_db_protocol_name | | short | +| netflow.netscaler_db_req_string | | keyword | +| netflow.netscaler_db_req_type | | short | +| netflow.netscaler_db_resp_length | | long | +| netflow.netscaler_db_resp_status | | long | +| netflow.netscaler_db_resp_status_string | | keyword | +| netflow.netscaler_db_user_name | | keyword | +| netflow.netscaler_flow_flags | | long | +| netflow.netscaler_http_client_interaction_end_time | | keyword | +| netflow.netscaler_http_client_interaction_start_time | | keyword | +| netflow.netscaler_http_client_render_end_time | | keyword | +| netflow.netscaler_http_client_render_start_time | | keyword | +| netflow.netscaler_http_content_type | | keyword | +| netflow.netscaler_http_domain_name | | keyword | +| netflow.netscaler_http_req_authorization | | keyword | +| netflow.netscaler_http_req_cookie | | keyword | +| netflow.netscaler_http_req_forw_fb | | long | +| netflow.netscaler_http_req_forw_lb | | long | +| netflow.netscaler_http_req_host | | keyword | +| netflow.netscaler_http_req_method | | keyword | +| netflow.netscaler_http_req_rcv_fb | | long | +| netflow.netscaler_http_req_rcv_lb | | long | +| netflow.netscaler_http_req_referer | | keyword | +| netflow.netscaler_http_req_url | | keyword | +| netflow.netscaler_http_req_user_agent | | keyword | +| netflow.netscaler_http_req_via | | keyword | +| netflow.netscaler_http_req_xforwarded_for | | keyword | +| netflow.netscaler_http_res_forw_fb | | long | +| netflow.netscaler_http_res_forw_lb | | long | +| netflow.netscaler_http_res_location | | keyword | +| netflow.netscaler_http_res_rcv_fb | | long | +| netflow.netscaler_http_res_rcv_lb | | long | +| netflow.netscaler_http_res_set_cookie | | keyword | +| netflow.netscaler_http_res_set_cookie2 | | keyword | +| netflow.netscaler_http_rsp_len | | long | +| netflow.netscaler_http_rsp_status | | integer | +| netflow.netscaler_ica_app_module_path | | keyword | +| netflow.netscaler_ica_app_process_id | | long | +| netflow.netscaler_ica_application_name | | keyword | +| netflow.netscaler_ica_application_termination_time | | long | +| netflow.netscaler_ica_application_termination_type | | integer | +| netflow.netscaler_ica_channel_id1 | | long | +| netflow.netscaler_ica_channel_id1_bytes | | long | +| netflow.netscaler_ica_channel_id2 | | long | +| netflow.netscaler_ica_channel_id2_bytes | | long | +| netflow.netscaler_ica_channel_id3 | | long | +| netflow.netscaler_ica_channel_id3_bytes | | long | +| netflow.netscaler_ica_channel_id4 | | long | +| netflow.netscaler_ica_channel_id4_bytes | | long | +| netflow.netscaler_ica_channel_id5 | | long | +| netflow.netscaler_ica_channel_id5_bytes | | long | +| netflow.netscaler_ica_client_host_name | | keyword | +| netflow.netscaler_ica_client_ip | | ip | +| netflow.netscaler_ica_client_launcher | | integer | +| netflow.netscaler_ica_client_side_rto_count | | integer | +| netflow.netscaler_ica_client_side_window_size | | integer | +| netflow.netscaler_ica_client_type | | integer | +| netflow.netscaler_ica_clientside_delay | | long | +| netflow.netscaler_ica_clientside_jitter | | long | +| netflow.netscaler_ica_clientside_packets_retransmit | | integer | +| netflow.netscaler_ica_clientside_rtt | | long | +| netflow.netscaler_ica_clientside_rx_bytes | | long | +| netflow.netscaler_ica_clientside_srtt | | long | +| netflow.netscaler_ica_clientside_tx_bytes | | long | +| netflow.netscaler_ica_connection_priority | | integer | +| netflow.netscaler_ica_device_serial_no | | long | +| netflow.netscaler_ica_domain_name | | keyword | +| netflow.netscaler_ica_flags | | long | +| netflow.netscaler_ica_host_delay | | long | +| netflow.netscaler_ica_l7_client_latency | | long | +| netflow.netscaler_ica_l7_server_latency | | long | +| netflow.netscaler_ica_launch_mechanism | | integer | +| netflow.netscaler_ica_network_update_end_time | | long | +| netflow.netscaler_ica_network_update_start_time | | long | +| netflow.netscaler_ica_rtt | | long | +| netflow.netscaler_ica_server_name | | keyword | +| netflow.netscaler_ica_server_side_rto_count | | integer | +| netflow.netscaler_ica_server_side_window_size | | integer | +| netflow.netscaler_ica_serverside_delay | | long | +| netflow.netscaler_ica_serverside_jitter | | long | +| netflow.netscaler_ica_serverside_packets_retransmit | | integer | +| netflow.netscaler_ica_serverside_rtt | | long | +| netflow.netscaler_ica_serverside_srtt | | long | +| netflow.netscaler_ica_session_end_time | | long | +| netflow.netscaler_ica_session_guid | | short | +| netflow.netscaler_ica_session_reconnects | | short | +| netflow.netscaler_ica_session_setup_time | | long | +| netflow.netscaler_ica_session_update_begin_sec | | long | +| netflow.netscaler_ica_session_update_end_sec | | long | +| netflow.netscaler_ica_username | | keyword | +| netflow.netscaler_license_type | | short | +| netflow.netscaler_main_page_core_id | | long | +| netflow.netscaler_main_page_id | | long | +| netflow.netscaler_max_license_count | | long | +| netflow.netscaler_msi_client_cookie | | short | +| netflow.netscaler_round_trip_time | | long | +| netflow.netscaler_server_ttfb | | long | +| netflow.netscaler_server_ttlb | | long | +| netflow.netscaler_syslog_message | | keyword | +| netflow.netscaler_syslog_priority | | short | +| netflow.netscaler_syslog_timestamp | | long | +| netflow.netscaler_transaction_id | | long | +| netflow.netscaler_unknown270 | | long | +| netflow.netscaler_unknown271 | | long | +| netflow.netscaler_unknown272 | | long | +| netflow.netscaler_unknown273 | | long | +| netflow.netscaler_unknown274 | | long | +| netflow.netscaler_unknown275 | | long | +| netflow.netscaler_unknown276 | | long | +| netflow.netscaler_unknown277 | | long | +| netflow.netscaler_unknown278 | | long | +| netflow.netscaler_unknown279 | | long | +| netflow.netscaler_unknown280 | | long | +| netflow.netscaler_unknown281 | | long | +| netflow.netscaler_unknown282 | | long | +| netflow.netscaler_unknown283 | | long | +| netflow.netscaler_unknown284 | | long | +| netflow.netscaler_unknown285 | | long | +| netflow.netscaler_unknown286 | | long | +| netflow.netscaler_unknown287 | | long | +| netflow.netscaler_unknown288 | | long | +| netflow.netscaler_unknown289 | | long | +| netflow.netscaler_unknown290 | | long | +| netflow.netscaler_unknown291 | | long | +| netflow.netscaler_unknown292 | | long | +| netflow.netscaler_unknown293 | | long | +| netflow.netscaler_unknown294 | | long | +| netflow.netscaler_unknown295 | | long | +| netflow.netscaler_unknown296 | | long | +| netflow.netscaler_unknown297 | | long | +| netflow.netscaler_unknown298 | | long | +| netflow.netscaler_unknown299 | | long | +| netflow.netscaler_unknown300 | | long | +| netflow.netscaler_unknown301 | | long | +| netflow.netscaler_unknown302 | | long | +| netflow.netscaler_unknown303 | | long | +| netflow.netscaler_unknown304 | | long | +| netflow.netscaler_unknown305 | | long | +| netflow.netscaler_unknown306 | | long | +| netflow.netscaler_unknown307 | | long | +| netflow.netscaler_unknown308 | | long | +| netflow.netscaler_unknown309 | | long | +| netflow.netscaler_unknown310 | | long | +| netflow.netscaler_unknown311 | | long | +| netflow.netscaler_unknown312 | | long | +| netflow.netscaler_unknown313 | | long | +| netflow.netscaler_unknown314 | | long | +| netflow.netscaler_unknown315 | | long | +| netflow.netscaler_unknown316 | | keyword | +| netflow.netscaler_unknown317 | | long | +| netflow.netscaler_unknown318 | | long | +| netflow.netscaler_unknown319 | | keyword | +| netflow.netscaler_unknown320 | | integer | +| netflow.netscaler_unknown321 | | long | +| netflow.netscaler_unknown322 | | long | +| netflow.netscaler_unknown323 | | integer | +| netflow.netscaler_unknown324 | | integer | +| netflow.netscaler_unknown325 | | integer | +| netflow.netscaler_unknown326 | | integer | +| netflow.netscaler_unknown327 | | long | +| netflow.netscaler_unknown328 | | integer | +| netflow.netscaler_unknown329 | | integer | +| netflow.netscaler_unknown330 | | integer | +| netflow.netscaler_unknown331 | | integer | +| netflow.netscaler_unknown332 | | long | +| netflow.netscaler_unknown333 | | keyword | +| netflow.netscaler_unknown334 | | keyword | +| netflow.netscaler_unknown335 | | long | +| netflow.netscaler_unknown336 | | long | +| netflow.netscaler_unknown337 | | long | +| netflow.netscaler_unknown338 | | long | +| netflow.netscaler_unknown339 | | long | +| netflow.netscaler_unknown340 | | long | +| netflow.netscaler_unknown341 | | long | +| netflow.netscaler_unknown342 | | long | +| netflow.netscaler_unknown343 | | long | +| netflow.netscaler_unknown344 | | long | +| netflow.netscaler_unknown345 | | long | +| netflow.netscaler_unknown346 | | long | +| netflow.netscaler_unknown347 | | long | +| netflow.netscaler_unknown348 | | integer | +| netflow.netscaler_unknown349 | | keyword | +| netflow.netscaler_unknown350 | | keyword | +| netflow.netscaler_unknown351 | | keyword | +| netflow.netscaler_unknown352 | | integer | +| netflow.netscaler_unknown353 | | long | +| netflow.netscaler_unknown354 | | long | +| netflow.netscaler_unknown355 | | long | +| netflow.netscaler_unknown356 | | long | +| netflow.netscaler_unknown357 | | long | +| netflow.netscaler_unknown363 | | short | +| netflow.netscaler_unknown383 | | short | +| netflow.netscaler_unknown391 | | long | +| netflow.netscaler_unknown398 | | long | +| netflow.netscaler_unknown404 | | long | +| netflow.netscaler_unknown405 | | long | +| netflow.netscaler_unknown427 | | long | +| netflow.netscaler_unknown429 | | short | +| netflow.netscaler_unknown432 | | short | +| netflow.netscaler_unknown433 | | short | +| netflow.netscaler_unknown453 | | long | +| netflow.netscaler_unknown465 | | long | +| netflow.new_connection_delta_count | | long | +| netflow.next_header_ipv6 | | short | +| netflow.non_empty_packet_count | | long | +| netflow.not_sent_flow_total_count | | long | +| netflow.not_sent_layer2_octet_total_count | | long | +| netflow.not_sent_octet_total_count | | long | +| netflow.not_sent_packet_total_count | | long | +| netflow.observation_domain_id | | long | +| netflow.observation_domain_name | | keyword | +| netflow.observation_point_id | | long | +| netflow.observation_point_type | | short | +| netflow.observation_time_microseconds | | date | +| netflow.observation_time_milliseconds | | date | +| netflow.observation_time_nanoseconds | | date | +| netflow.observation_time_seconds | | date | +| netflow.observed_flow_total_count | | long | +| netflow.octet_delta_count | | long | +| netflow.octet_delta_sum_of_squares | | long | +| netflow.octet_total_count | | long | +| netflow.octet_total_sum_of_squares | | long | +| netflow.opaque_octets | | short | +| netflow.original_exporter_ipv4_address | | ip | +| netflow.original_exporter_ipv6_address | | ip | +| netflow.original_flows_completed | | long | +| netflow.original_flows_initiated | | long | +| netflow.original_flows_present | | long | +| netflow.original_observation_domain_id | | long | +| netflow.os_finger_print | | keyword | +| netflow.os_name | | keyword | +| netflow.os_version | | keyword | +| netflow.p2p_technology | | keyword | +| netflow.packet_delta_count | | long | +| netflow.packet_total_count | | long | +| netflow.padding_octets | | short | +| netflow.payload | | keyword | +| netflow.payload_entropy | | short | +| netflow.payload_length_ipv6 | | integer | +| netflow.policy_qos_classification_hierarchy | | long | +| netflow.policy_qos_queue_index | | long | +| netflow.policy_qos_queuedrops | | long | +| netflow.policy_qos_queueindex | | long | +| netflow.port_id | | long | +| netflow.port_range_end | | integer | +| netflow.port_range_num_ports | | integer | +| netflow.port_range_start | | integer | +| netflow.port_range_step_size | | integer | +| netflow.post_destination_mac_address | | keyword | +| netflow.post_dot1q_customer_vlan_id | | integer | +| netflow.post_dot1q_vlan_id | | integer | +| netflow.post_ip_class_of_service | | short | +| netflow.post_ip_diff_serv_code_point | | short | +| netflow.post_ip_precedence | | short | +| netflow.post_layer2_octet_delta_count | | long | +| netflow.post_layer2_octet_total_count | | long | +| netflow.post_mcast_layer2_octet_delta_count | | long | +| netflow.post_mcast_layer2_octet_total_count | | long | +| netflow.post_mcast_octet_delta_count | | long | +| netflow.post_mcast_octet_total_count | | long | +| netflow.post_mcast_packet_delta_count | | long | +| netflow.post_mcast_packet_total_count | | long | +| netflow.post_mpls_top_label_exp | | short | +| netflow.post_napt_destination_transport_port | | integer | +| netflow.post_napt_source_transport_port | | integer | +| netflow.post_nat_destination_ipv4_address | | ip | +| netflow.post_nat_destination_ipv6_address | | ip | +| netflow.post_nat_source_ipv4_address | | ip | +| netflow.post_nat_source_ipv6_address | | ip | +| netflow.post_octet_delta_count | | long | +| netflow.post_octet_total_count | | long | +| netflow.post_packet_delta_count | | long | +| netflow.post_packet_total_count | | long | +| netflow.post_source_mac_address | | keyword | +| netflow.post_vlan_id | | integer | +| netflow.private_enterprise_number | | long | +| netflow.procera_apn | | keyword | +| netflow.procera_base_service | | keyword | +| netflow.procera_content_categories | | keyword | +| netflow.procera_device_id | | long | +| netflow.procera_external_rtt | | integer | +| netflow.procera_flow_behavior | | keyword | +| netflow.procera_ggsn | | keyword | +| netflow.procera_http_content_type | | keyword | +| netflow.procera_http_file_length | | long | +| netflow.procera_http_language | | keyword | +| netflow.procera_http_location | | keyword | +| netflow.procera_http_referer | | keyword | +| netflow.procera_http_request_method | | keyword | +| netflow.procera_http_request_version | | keyword | +| netflow.procera_http_response_status | | integer | +| netflow.procera_http_url | | keyword | +| netflow.procera_http_user_agent | | keyword | +| netflow.procera_imsi | | long | +| netflow.procera_incoming_octets | | long | +| netflow.procera_incoming_packets | | long | +| netflow.procera_incoming_shaping_drops | | long | +| netflow.procera_incoming_shaping_latency | | integer | +| netflow.procera_internal_rtt | | integer | +| netflow.procera_local_ipv4_host | | ip | +| netflow.procera_local_ipv6_host | | ip | +| netflow.procera_msisdn | | long | +| netflow.procera_outgoing_octets | | long | +| netflow.procera_outgoing_packets | | long | +| netflow.procera_outgoing_shaping_drops | | long | +| netflow.procera_outgoing_shaping_latency | | integer | +| netflow.procera_property | | keyword | +| netflow.procera_qoe_incoming_external | | float | +| netflow.procera_qoe_incoming_internal | | float | +| netflow.procera_qoe_outgoing_external | | float | +| netflow.procera_qoe_outgoing_internal | | float | +| netflow.procera_rat | | keyword | +| netflow.procera_remote_ipv4_host | | ip | +| netflow.procera_remote_ipv6_host | | ip | +| netflow.procera_rnc | | integer | +| netflow.procera_server_hostname | | keyword | +| netflow.procera_service | | keyword | +| netflow.procera_sgsn | | keyword | +| netflow.procera_subscriber_identifier | | keyword | +| netflow.procera_template_name | | keyword | +| netflow.procera_user_location_information | | keyword | +| netflow.protocol_identifier | | short | +| netflow.pseudo_wire_control_word | | long | +| netflow.pseudo_wire_destination_ipv4_address | | ip | +| netflow.pseudo_wire_id | | long | +| netflow.pseudo_wire_type | | integer | +| netflow.reason | | long | +| netflow.reason_text | | keyword | +| netflow.relative_error | | double | +| netflow.responder_octets | | long | +| netflow.responder_packets | | long | +| netflow.reverse_absolute_error | | double | +| netflow.reverse_anonymization_flags | | integer | +| netflow.reverse_anonymization_technique | | integer | +| netflow.reverse_application_category_name | | keyword | +| netflow.reverse_application_description | | keyword | +| netflow.reverse_application_group_name | | keyword | +| netflow.reverse_application_id | | keyword | +| netflow.reverse_application_name | | keyword | +| netflow.reverse_application_sub_category_name | | keyword | +| netflow.reverse_average_interarrival_time | | long | +| netflow.reverse_bgp_destination_as_number | | long | +| netflow.reverse_bgp_next_adjacent_as_number | | long | +| netflow.reverse_bgp_next_hop_ipv4_address | | ip | +| netflow.reverse_bgp_next_hop_ipv6_address | | ip | +| netflow.reverse_bgp_prev_adjacent_as_number | | long | +| netflow.reverse_bgp_source_as_number | | long | +| netflow.reverse_bgp_validity_state | | short | +| netflow.reverse_class_id | | short | +| netflow.reverse_class_name | | keyword | +| netflow.reverse_classification_engine_id | | short | +| netflow.reverse_collection_time_milliseconds | | long | +| netflow.reverse_collector_certificate | | keyword | +| netflow.reverse_confidence_level | | double | +| netflow.reverse_connection_sum_duration_seconds | | long | +| netflow.reverse_connection_transaction_id | | long | +| netflow.reverse_data_byte_count | | long | +| netflow.reverse_data_link_frame_section | | keyword | +| netflow.reverse_data_link_frame_size | | integer | +| netflow.reverse_data_link_frame_type | | integer | +| netflow.reverse_data_records_reliability | | short | +| netflow.reverse_delta_flow_count | | long | +| netflow.reverse_destination_ipv4_address | | ip | +| netflow.reverse_destination_ipv4_prefix | | ip | +| netflow.reverse_destination_ipv4_prefix_length | | short | +| netflow.reverse_destination_ipv6_address | | ip | +| netflow.reverse_destination_ipv6_prefix | | ip | +| netflow.reverse_destination_ipv6_prefix_length | | short | +| netflow.reverse_destination_mac_address | | keyword | +| netflow.reverse_destination_transport_port | | integer | +| netflow.reverse_digest_hash_value | | long | +| netflow.reverse_distinct_count_of_destination_ip_address | | long | +| netflow.reverse_distinct_count_of_destination_ipv4_address | | long | +| netflow.reverse_distinct_count_of_destination_ipv6_address | | long | +| netflow.reverse_distinct_count_of_source_ip_address | | long | +| netflow.reverse_distinct_count_of_source_ipv4_address | | long | +| netflow.reverse_distinct_count_of_source_ipv6_address | | long | +| netflow.reverse_dot1q_customer_dei | | short | +| netflow.reverse_dot1q_customer_destination_mac_address | | keyword | +| netflow.reverse_dot1q_customer_priority | | short | +| netflow.reverse_dot1q_customer_source_mac_address | | keyword | +| netflow.reverse_dot1q_customer_vlan_id | | integer | +| netflow.reverse_dot1q_dei | | short | +| netflow.reverse_dot1q_priority | | short | +| netflow.reverse_dot1q_service_instance_id | | long | +| netflow.reverse_dot1q_service_instance_priority | | short | +| netflow.reverse_dot1q_service_instance_tag | | keyword | +| netflow.reverse_dot1q_vlan_id | | integer | +| netflow.reverse_dropped_layer2_octet_delta_count | | long | +| netflow.reverse_dropped_layer2_octet_total_count | | long | +| netflow.reverse_dropped_octet_delta_count | | long | +| netflow.reverse_dropped_octet_total_count | | long | +| netflow.reverse_dropped_packet_delta_count | | long | +| netflow.reverse_dropped_packet_total_count | | long | +| netflow.reverse_dst_traffic_index | | long | +| netflow.reverse_egress_broadcast_packet_total_count | | long | +| netflow.reverse_egress_interface | | long | +| netflow.reverse_egress_interface_type | | long | +| netflow.reverse_egress_physical_interface | | long | +| netflow.reverse_egress_unicast_packet_total_count | | long | +| netflow.reverse_egress_vrfid | | long | +| netflow.reverse_encrypted_technology | | keyword | +| netflow.reverse_engine_id | | short | +| netflow.reverse_engine_type | | short | +| netflow.reverse_ethernet_header_length | | short | +| netflow.reverse_ethernet_payload_length | | integer | +| netflow.reverse_ethernet_total_length | | integer | +| netflow.reverse_ethernet_type | | integer | +| netflow.reverse_export_sctp_stream_id | | integer | +| netflow.reverse_exporter_certificate | | keyword | +| netflow.reverse_exporting_process_id | | long | +| netflow.reverse_firewall_event | | short | +| netflow.reverse_first_non_empty_packet_size | | integer | +| netflow.reverse_first_packet_banner | | keyword | +| netflow.reverse_flags_and_sampler_id | | long | +| netflow.reverse_flow_active_timeout | | integer | +| netflow.reverse_flow_attributes | | integer | +| netflow.reverse_flow_delta_milliseconds | | long | +| netflow.reverse_flow_direction | | short | +| netflow.reverse_flow_duration_microseconds | | long | +| netflow.reverse_flow_duration_milliseconds | | long | +| netflow.reverse_flow_end_delta_microseconds | | long | +| netflow.reverse_flow_end_microseconds | | long | +| netflow.reverse_flow_end_milliseconds | | long | +| netflow.reverse_flow_end_nanoseconds | | long | +| netflow.reverse_flow_end_reason | | short | +| netflow.reverse_flow_end_seconds | | long | +| netflow.reverse_flow_end_sys_up_time | | long | +| netflow.reverse_flow_idle_timeout | | integer | +| netflow.reverse_flow_label_ipv6 | | long | +| netflow.reverse_flow_sampling_time_interval | | long | +| netflow.reverse_flow_sampling_time_spacing | | long | +| netflow.reverse_flow_selected_flow_delta_count | | long | +| netflow.reverse_flow_selected_octet_delta_count | | long | +| netflow.reverse_flow_selected_packet_delta_count | | long | +| netflow.reverse_flow_selector_algorithm | | integer | +| netflow.reverse_flow_start_delta_microseconds | | long | +| netflow.reverse_flow_start_microseconds | | long | +| netflow.reverse_flow_start_milliseconds | | long | +| netflow.reverse_flow_start_nanoseconds | | long | +| netflow.reverse_flow_start_seconds | | long | +| netflow.reverse_flow_start_sys_up_time | | long | +| netflow.reverse_forwarding_status | | long | +| netflow.reverse_fragment_flags | | short | +| netflow.reverse_fragment_identification | | long | +| netflow.reverse_fragment_offset | | integer | +| netflow.reverse_gre_key | | long | +| netflow.reverse_hash_digest_output | | short | +| netflow.reverse_hash_flow_domain | | integer | +| netflow.reverse_hash_initialiser_value | | long | +| netflow.reverse_hash_ip_payload_offset | | long | +| netflow.reverse_hash_ip_payload_size | | long | +| netflow.reverse_hash_output_range_max | | long | +| netflow.reverse_hash_output_range_min | | long | +| netflow.reverse_hash_selected_range_max | | long | +| netflow.reverse_hash_selected_range_min | | long | +| netflow.reverse_icmp_code_ipv4 | | short | +| netflow.reverse_icmp_code_ipv6 | | short | +| netflow.reverse_icmp_type_code_ipv4 | | integer | +| netflow.reverse_icmp_type_code_ipv6 | | integer | +| netflow.reverse_icmp_type_ipv4 | | short | +| netflow.reverse_icmp_type_ipv6 | | short | +| netflow.reverse_igmp_type | | short | +| netflow.reverse_ignored_data_record_total_count | | long | +| netflow.reverse_ignored_layer2_frame_total_count | | long | +| netflow.reverse_ignored_layer2_octet_total_count | | long | +| netflow.reverse_information_element_data_type | | short | +| netflow.reverse_information_element_description | | keyword | +| netflow.reverse_information_element_id | | integer | +| netflow.reverse_information_element_index | | integer | +| netflow.reverse_information_element_name | | keyword | +| netflow.reverse_information_element_range_begin | | long | +| netflow.reverse_information_element_range_end | | long | +| netflow.reverse_information_element_semantics | | short | +| netflow.reverse_information_element_units | | integer | +| netflow.reverse_ingress_broadcast_packet_total_count | | long | +| netflow.reverse_ingress_interface | | long | +| netflow.reverse_ingress_interface_type | | long | +| netflow.reverse_ingress_multicast_packet_total_count | | long | +| netflow.reverse_ingress_physical_interface | | long | +| netflow.reverse_ingress_unicast_packet_total_count | | long | +| netflow.reverse_ingress_vrfid | | long | +| netflow.reverse_initial_tcp_flags | | short | +| netflow.reverse_initiator_octets | | long | +| netflow.reverse_initiator_packets | | long | +| netflow.reverse_interface_description | | keyword | +| netflow.reverse_interface_name | | keyword | +| netflow.reverse_intermediate_process_id | | long | +| netflow.reverse_ip_class_of_service | | short | +| netflow.reverse_ip_diff_serv_code_point | | short | +| netflow.reverse_ip_header_length | | short | +| netflow.reverse_ip_header_packet_section | | keyword | +| netflow.reverse_ip_next_hop_ipv4_address | | ip | +| netflow.reverse_ip_next_hop_ipv6_address | | ip | +| netflow.reverse_ip_payload_length | | long | +| netflow.reverse_ip_payload_packet_section | | keyword | +| netflow.reverse_ip_precedence | | short | +| netflow.reverse_ip_sec_spi | | long | +| netflow.reverse_ip_total_length | | long | +| netflow.reverse_ip_ttl | | short | +| netflow.reverse_ip_version | | short | +| netflow.reverse_ipv4_ihl | | short | +| netflow.reverse_ipv4_options | | long | +| netflow.reverse_ipv4_router_sc | | ip | +| netflow.reverse_ipv6_extension_headers | | long | +| netflow.reverse_is_multicast | | short | +| netflow.reverse_large_packet_count | | long | +| netflow.reverse_layer2_frame_delta_count | | long | +| netflow.reverse_layer2_frame_total_count | | long | +| netflow.reverse_layer2_octet_delta_count | | long | +| netflow.reverse_layer2_octet_delta_sum_of_squares | | long | +| netflow.reverse_layer2_octet_total_count | | long | +| netflow.reverse_layer2_octet_total_sum_of_squares | | long | +| netflow.reverse_layer2_segment_id | | long | +| netflow.reverse_layer2packet_section_data | | keyword | +| netflow.reverse_layer2packet_section_offset | | integer | +| netflow.reverse_layer2packet_section_size | | integer | +| netflow.reverse_line_card_id | | long | +| netflow.reverse_lower_ci_limit | | double | +| netflow.reverse_max_export_seconds | | long | +| netflow.reverse_max_flow_end_microseconds | | long | +| netflow.reverse_max_flow_end_milliseconds | | long | +| netflow.reverse_max_flow_end_nanoseconds | | long | +| netflow.reverse_max_flow_end_seconds | | long | +| netflow.reverse_max_packet_size | | integer | +| netflow.reverse_maximum_ip_total_length | | long | +| netflow.reverse_maximum_layer2_total_length | | long | +| netflow.reverse_maximum_ttl | | short | +| netflow.reverse_message_md5_checksum | | keyword | +| netflow.reverse_message_scope | | short | +| netflow.reverse_metering_process_id | | long | +| netflow.reverse_metro_evc_id | | keyword | +| netflow.reverse_metro_evc_type | | short | +| netflow.reverse_min_export_seconds | | long | +| netflow.reverse_min_flow_start_microseconds | | long | +| netflow.reverse_min_flow_start_milliseconds | | long | +| netflow.reverse_min_flow_start_nanoseconds | | long | +| netflow.reverse_min_flow_start_seconds | | long | +| netflow.reverse_minimum_ip_total_length | | long | +| netflow.reverse_minimum_layer2_total_length | | long | +| netflow.reverse_minimum_ttl | | short | +| netflow.reverse_monitoring_interval_end_milli_seconds | | long | +| netflow.reverse_monitoring_interval_start_milli_seconds | | long | +| netflow.reverse_mpls_label_stack_depth | | long | +| netflow.reverse_mpls_label_stack_length | | long | +| netflow.reverse_mpls_label_stack_section | | keyword | +| netflow.reverse_mpls_label_stack_section10 | | keyword | +| netflow.reverse_mpls_label_stack_section2 | | keyword | +| netflow.reverse_mpls_label_stack_section3 | | keyword | +| netflow.reverse_mpls_label_stack_section4 | | keyword | +| netflow.reverse_mpls_label_stack_section5 | | keyword | +| netflow.reverse_mpls_label_stack_section6 | | keyword | +| netflow.reverse_mpls_label_stack_section7 | | keyword | +| netflow.reverse_mpls_label_stack_section8 | | keyword | +| netflow.reverse_mpls_label_stack_section9 | | keyword | +| netflow.reverse_mpls_payload_length | | long | +| netflow.reverse_mpls_payload_packet_section | | keyword | +| netflow.reverse_mpls_top_label_exp | | short | +| netflow.reverse_mpls_top_label_ipv4_address | | ip | +| netflow.reverse_mpls_top_label_ipv6_address | | ip | +| netflow.reverse_mpls_top_label_prefix_length | | short | +| netflow.reverse_mpls_top_label_stack_section | | keyword | +| netflow.reverse_mpls_top_label_ttl | | short | +| netflow.reverse_mpls_top_label_type | | short | +| netflow.reverse_mpls_vpn_route_distinguisher | | keyword | +| netflow.reverse_multicast_replication_factor | | long | +| netflow.reverse_nat_event | | short | +| netflow.reverse_nat_originating_address_realm | | short | +| netflow.reverse_nat_pool_id | | long | +| netflow.reverse_nat_pool_name | | keyword | +| netflow.reverse_nat_type | | short | +| netflow.reverse_new_connection_delta_count | | long | +| netflow.reverse_next_header_ipv6 | | short | +| netflow.reverse_non_empty_packet_count | | long | +| netflow.reverse_not_sent_layer2_octet_total_count | | long | +| netflow.reverse_observation_domain_name | | keyword | +| netflow.reverse_observation_point_id | | long | +| netflow.reverse_observation_point_type | | short | +| netflow.reverse_observation_time_microseconds | | long | +| netflow.reverse_observation_time_milliseconds | | long | +| netflow.reverse_observation_time_nanoseconds | | long | +| netflow.reverse_observation_time_seconds | | long | +| netflow.reverse_octet_delta_count | | long | +| netflow.reverse_octet_delta_sum_of_squares | | long | +| netflow.reverse_octet_total_count | | long | +| netflow.reverse_octet_total_sum_of_squares | | long | +| netflow.reverse_opaque_octets | | keyword | +| netflow.reverse_original_exporter_ipv4_address | | ip | +| netflow.reverse_original_exporter_ipv6_address | | ip | +| netflow.reverse_original_flows_completed | | long | +| netflow.reverse_original_flows_initiated | | long | +| netflow.reverse_original_flows_present | | long | +| netflow.reverse_original_observation_domain_id | | long | +| netflow.reverse_os_finger_print | | keyword | +| netflow.reverse_os_name | | keyword | +| netflow.reverse_os_version | | keyword | +| netflow.reverse_p2p_technology | | keyword | +| netflow.reverse_packet_delta_count | | long | +| netflow.reverse_packet_total_count | | long | +| netflow.reverse_payload | | keyword | +| netflow.reverse_payload_entropy | | short | +| netflow.reverse_payload_length_ipv6 | | integer | +| netflow.reverse_port_id | | long | +| netflow.reverse_port_range_end | | integer | +| netflow.reverse_port_range_num_ports | | integer | +| netflow.reverse_port_range_start | | integer | +| netflow.reverse_port_range_step_size | | integer | +| netflow.reverse_post_destination_mac_address | | keyword | +| netflow.reverse_post_dot1q_customer_vlan_id | | integer | +| netflow.reverse_post_dot1q_vlan_id | | integer | +| netflow.reverse_post_ip_class_of_service | | short | +| netflow.reverse_post_ip_diff_serv_code_point | | short | +| netflow.reverse_post_ip_precedence | | short | +| netflow.reverse_post_layer2_octet_delta_count | | long | +| netflow.reverse_post_layer2_octet_total_count | | long | +| netflow.reverse_post_mcast_layer2_octet_delta_count | | long | +| netflow.reverse_post_mcast_layer2_octet_total_count | | long | +| netflow.reverse_post_mcast_octet_delta_count | | long | +| netflow.reverse_post_mcast_octet_total_count | | long | +| netflow.reverse_post_mcast_packet_delta_count | | long | +| netflow.reverse_post_mcast_packet_total_count | | long | +| netflow.reverse_post_mpls_top_label_exp | | short | +| netflow.reverse_post_napt_destination_transport_port | | integer | +| netflow.reverse_post_napt_source_transport_port | | integer | +| netflow.reverse_post_nat_destination_ipv4_address | | ip | +| netflow.reverse_post_nat_destination_ipv6_address | | ip | +| netflow.reverse_post_nat_source_ipv4_address | | ip | +| netflow.reverse_post_nat_source_ipv6_address | | ip | +| netflow.reverse_post_octet_delta_count | | long | +| netflow.reverse_post_octet_total_count | | long | +| netflow.reverse_post_packet_delta_count | | long | +| netflow.reverse_post_packet_total_count | | long | +| netflow.reverse_post_source_mac_address | | keyword | +| netflow.reverse_post_vlan_id | | integer | +| netflow.reverse_private_enterprise_number | | long | +| netflow.reverse_protocol_identifier | | short | +| netflow.reverse_pseudo_wire_control_word | | long | +| netflow.reverse_pseudo_wire_destination_ipv4_address | | ip | +| netflow.reverse_pseudo_wire_id | | long | +| netflow.reverse_pseudo_wire_type | | integer | +| netflow.reverse_relative_error | | double | +| netflow.reverse_responder_octets | | long | +| netflow.reverse_responder_packets | | long | +| netflow.reverse_rfc3550_jitter_microseconds | | long | +| netflow.reverse_rfc3550_jitter_milliseconds | | long | +| netflow.reverse_rfc3550_jitter_nanoseconds | | long | +| netflow.reverse_rtp_payload_type | | short | +| netflow.reverse_rtp_sequence_number | | integer | +| netflow.reverse_sampler_id | | short | +| netflow.reverse_sampler_mode | | short | +| netflow.reverse_sampler_name | | keyword | +| netflow.reverse_sampler_random_interval | | long | +| netflow.reverse_sampling_algorithm | | short | +| netflow.reverse_sampling_flow_interval | | long | +| netflow.reverse_sampling_flow_spacing | | long | +| netflow.reverse_sampling_interval | | long | +| netflow.reverse_sampling_packet_interval | | long | +| netflow.reverse_sampling_packet_space | | long | +| netflow.reverse_sampling_population | | long | +| netflow.reverse_sampling_probability | | double | +| netflow.reverse_sampling_size | | long | +| netflow.reverse_sampling_time_interval | | long | +| netflow.reverse_sampling_time_space | | long | +| netflow.reverse_second_packet_banner | | keyword | +| netflow.reverse_section_exported_octets | | integer | +| netflow.reverse_section_offset | | integer | +| netflow.reverse_selection_sequence_id | | long | +| netflow.reverse_selector_algorithm | | integer | +| netflow.reverse_selector_id | | long | +| netflow.reverse_selector_id_total_flows_observed | | long | +| netflow.reverse_selector_id_total_flows_selected | | long | +| netflow.reverse_selector_id_total_pkts_observed | | long | +| netflow.reverse_selector_id_total_pkts_selected | | long | +| netflow.reverse_selector_name | | keyword | +| netflow.reverse_session_scope | | short | +| netflow.reverse_small_packet_count | | long | +| netflow.reverse_source_ipv4_address | | ip | +| netflow.reverse_source_ipv4_prefix | | ip | +| netflow.reverse_source_ipv4_prefix_length | | short | +| netflow.reverse_source_ipv6_address | | ip | +| netflow.reverse_source_ipv6_prefix | | ip | +| netflow.reverse_source_ipv6_prefix_length | | short | +| netflow.reverse_source_mac_address | | keyword | +| netflow.reverse_source_transport_port | | integer | +| netflow.reverse_src_traffic_index | | long | +| netflow.reverse_sta_ipv4_address | | ip | +| netflow.reverse_sta_mac_address | | keyword | +| netflow.reverse_standard_deviation_interarrival_time | | long | +| netflow.reverse_standard_deviation_payload_length | | integer | +| netflow.reverse_system_init_time_milliseconds | | long | +| netflow.reverse_tcp_ack_total_count | | long | +| netflow.reverse_tcp_acknowledgement_number | | long | +| netflow.reverse_tcp_control_bits | | integer | +| netflow.reverse_tcp_destination_port | | integer | +| netflow.reverse_tcp_fin_total_count | | long | +| netflow.reverse_tcp_header_length | | short | +| netflow.reverse_tcp_options | | long | +| netflow.reverse_tcp_psh_total_count | | long | +| netflow.reverse_tcp_rst_total_count | | long | +| netflow.reverse_tcp_sequence_number | | long | +| netflow.reverse_tcp_source_port | | integer | +| netflow.reverse_tcp_syn_total_count | | long | +| netflow.reverse_tcp_urg_total_count | | long | +| netflow.reverse_tcp_urgent_pointer | | integer | +| netflow.reverse_tcp_window_scale | | integer | +| netflow.reverse_tcp_window_size | | integer | +| netflow.reverse_total_length_ipv4 | | integer | +| netflow.reverse_transport_octet_delta_count | | long | +| netflow.reverse_transport_packet_delta_count | | long | +| netflow.reverse_tunnel_technology | | keyword | +| netflow.reverse_udp_destination_port | | integer | +| netflow.reverse_udp_message_length | | integer | +| netflow.reverse_udp_source_port | | integer | +| netflow.reverse_union_tcp_flags | | short | +| netflow.reverse_upper_ci_limit | | double | +| netflow.reverse_user_name | | keyword | +| netflow.reverse_value_distribution_method | | short | +| netflow.reverse_virtual_station_interface_id | | keyword | +| netflow.reverse_virtual_station_interface_name | | keyword | +| netflow.reverse_virtual_station_name | | keyword | +| netflow.reverse_virtual_station_uuid | | keyword | +| netflow.reverse_vlan_id | | integer | +| netflow.reverse_vr_fname | | keyword | +| netflow.reverse_wlan_channel_id | | short | +| netflow.reverse_wlan_ssid | | keyword | +| netflow.reverse_wtp_mac_address | | keyword | +| netflow.rfc3550_jitter_microseconds | | long | +| netflow.rfc3550_jitter_milliseconds | | long | +| netflow.rfc3550_jitter_nanoseconds | | long | +| netflow.rtp_payload_type | | short | +| netflow.rtp_sequence_number | | integer | +| netflow.sampler_id | | short | +| netflow.sampler_mode | | short | +| netflow.sampler_name | | keyword | +| netflow.sampler_random_interval | | long | +| netflow.sampling_algorithm | | short | +| netflow.sampling_flow_interval | | long | +| netflow.sampling_flow_spacing | | long | +| netflow.sampling_interval | | long | +| netflow.sampling_packet_interval | | long | +| netflow.sampling_packet_space | | long | +| netflow.sampling_population | | long | +| netflow.sampling_probability | | double | +| netflow.sampling_size | | long | +| netflow.sampling_time_interval | | long | +| netflow.sampling_time_space | | long | +| netflow.second_packet_banner | | keyword | +| netflow.section_exported_octets | | integer | +| netflow.section_offset | | integer | +| netflow.selection_sequence_id | | long | +| netflow.selector_algorithm | | integer | +| netflow.selector_id | | long | +| netflow.selector_id_total_flows_observed | | long | +| netflow.selector_id_total_flows_selected | | long | +| netflow.selector_id_total_pkts_observed | | long | +| netflow.selector_id_total_pkts_selected | | long | +| netflow.selector_name | | keyword | +| netflow.service_name | | keyword | +| netflow.session_scope | | short | +| netflow.silk_app_label | | integer | +| netflow.small_packet_count | | long | +| netflow.source_ipv4_address | | ip | +| netflow.source_ipv4_prefix | | ip | +| netflow.source_ipv4_prefix_length | | short | +| netflow.source_ipv6_address | | ip | +| netflow.source_ipv6_prefix | | ip | +| netflow.source_ipv6_prefix_length | | short | +| netflow.source_mac_address | | keyword | +| netflow.source_transport_port | | integer | +| netflow.source_transport_ports_limit | | integer | +| netflow.src_traffic_index | | long | +| netflow.ssl_cert_serial_number | | keyword | +| netflow.ssl_cert_signature | | keyword | +| netflow.ssl_cert_validity_not_after | | keyword | +| netflow.ssl_cert_validity_not_before | | keyword | +| netflow.ssl_cert_version | | short | +| netflow.ssl_certificate_hash | | keyword | +| netflow.ssl_cipher | | keyword | +| netflow.ssl_client_version | | short | +| netflow.ssl_compression_method | | short | +| netflow.ssl_object_type | | keyword | +| netflow.ssl_object_value | | keyword | +| netflow.ssl_public_key_algorithm | | keyword | +| netflow.ssl_public_key_length | | keyword | +| netflow.ssl_server_cipher | | long | +| netflow.ssl_server_name | | keyword | +| netflow.sta_ipv4_address | | ip | +| netflow.sta_mac_address | | keyword | +| netflow.standard_deviation_interarrival_time | | long | +| netflow.standard_deviation_payload_length | | short | +| netflow.system_init_time_milliseconds | | date | +| netflow.tcp_ack_total_count | | long | +| netflow.tcp_acknowledgement_number | | long | +| netflow.tcp_control_bits | | integer | +| netflow.tcp_destination_port | | integer | +| netflow.tcp_fin_total_count | | long | +| netflow.tcp_header_length | | short | +| netflow.tcp_options | | long | +| netflow.tcp_psh_total_count | | long | +| netflow.tcp_rst_total_count | | long | +| netflow.tcp_sequence_number | | long | +| netflow.tcp_source_port | | integer | +| netflow.tcp_syn_total_count | | long | +| netflow.tcp_urg_total_count | | long | +| netflow.tcp_urgent_pointer | | integer | +| netflow.tcp_window_scale | | integer | +| netflow.tcp_window_size | | integer | +| netflow.template_id | | integer | +| netflow.tftp_filename | | keyword | +| netflow.tftp_mode | | keyword | +| netflow.timestamp | | long | +| netflow.timestamp_absolute_monitoring-interval | | long | +| netflow.total_length_ipv4 | | integer | +| netflow.traffic_type | | short | +| netflow.transport_octet_delta_count | | long | +| netflow.transport_packet_delta_count | | long | +| netflow.tunnel_technology | | keyword | +| netflow.type | The type of NetFlow record described by this event. | keyword | +| netflow.udp_destination_port | | integer | +| netflow.udp_message_length | | integer | +| netflow.udp_source_port | | integer | +| netflow.union_tcp_flags | | short | +| netflow.upper_ci_limit | | double | +| netflow.user_name | | keyword | +| netflow.username | | keyword | +| netflow.value_distribution_method | | short | +| netflow.viptela_vpn_id | | long | +| netflow.virtual_station_interface_id | | short | +| netflow.virtual_station_interface_name | | keyword | +| netflow.virtual_station_name | | keyword | +| netflow.virtual_station_uuid | | short | +| netflow.vlan_id | | integer | +| netflow.vmware_egress_interface_attr | | integer | +| netflow.vmware_ingress_interface_attr | | integer | +| netflow.vmware_tenant_dest_ipv4 | | ip | +| netflow.vmware_tenant_dest_ipv6 | | ip | +| netflow.vmware_tenant_dest_port | | integer | +| netflow.vmware_tenant_protocol | | short | +| netflow.vmware_tenant_source_ipv4 | | ip | +| netflow.vmware_tenant_source_ipv6 | | ip | +| netflow.vmware_tenant_source_port | | integer | +| netflow.vmware_vxlan_export_role | | short | +| netflow.vpn_identifier | | short | +| netflow.vr_fname | | keyword | +| netflow.waasoptimization_segment | | short | +| netflow.wlan_channel_id | | short | +| netflow.wlan_ssid | | keyword | +| netflow.wtp_mac_address | | keyword | +| netflow.xlate_destination_address_ip_v4 | | ip | +| netflow.xlate_destination_port | | integer | +| netflow.xlate_source_address_ip_v4 | | ip | +| netflow.xlate_source_port | | integer | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.continent_name | Name of the continent. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| observer.geo.region_iso_code | Region ISO code. | keyword | +| observer.geo.region_name | Region name. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| observer.os.full | Operating system name, including the version or code name. | keyword | +| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | +| observer.os.kernel | Operating system kernel version as a raw string. | keyword | +| observer.os.name | Operating system name, without the version. | keyword | +| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | +| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| observer.os.version | Operating system version as a raw string. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| organization.name | Organization name. | keyword | +| organization.name.text | Multi-field of `organization.name`. | match_only_text | +| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| os.full | Operating system name, including the version or code name. | keyword | +| os.full.text | Multi-field of `os.full`. | match_only_text | +| os.kernel | Operating system kernel version as a raw string. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| os.version | Operating system version as a raw string. | keyword | +| package.architecture | Package architecture. | keyword | +| package.checksum | Checksum of the installed package for verification. | keyword | +| package.description | Description of the package. | keyword | +| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | +| package.installed | Time when package was installed. | date | +| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | +| package.name | Package name | keyword | +| package.path | Path where the package is installed. | keyword | +| package.size | Package size in bytes. | long | +| package.version | Package version | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| related.ip | All of the IPs seen on your event. | ip | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| server.as.organization.name | Organization name. | keyword | +| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | +| server.packets | Packets sent from the server to the client. | long | +| server.port | Port of the server. | long | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.email | User email address. | keyword | +| server.user.full_name | User's full name, if available. | keyword | +| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | +| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| server.user.group.name | Name of the group. | keyword | +| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| server.user.id | Unique identifier of the user. | keyword | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | +| service.state | Current state of the service. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.locality | Whether the source IP is private or public. | keyword | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | +| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json new file mode 100755 index 0000000000..6df6ba38b4 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "Netflow Top N flows", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Top-N", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", + "name": "9:panel_9", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json new file mode 100755 index 0000000000..5121267442 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "Overview of Netflow", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":16,\"y\":12},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":32,\"y\":12},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":16,\"x\":16,\"y\":28},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-34e26884-161a-4448-9556-43b5bf2f62a2", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", + "name": "21:panel_21", + "type": "visualization" + }, + { + "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", + "name": "22:panel_22", + "type": "visualization" + }, + { + "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", + "name": "23:panel_23", + "type": "visualization" + }, + { + "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", + "name": "24:panel_24", + "type": "visualization" + }, + { + "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", + "name": "25:panel_25", + "type": "visualization" + }, + { + "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", + "name": "26:panel_26", + "type": "visualization" + }, + { + "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", + "name": "27:panel_27", + "type": "visualization" + }, + { + "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", + "name": "29:panel_29", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json new file mode 100755 index 0000000000..8c9c9643d8 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json @@ -0,0 +1,232 @@ +{ + "attributes": { + "description": "Netflow traffic analysis", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":84},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":108},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":108},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":84},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":24,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":24,\"y\":28},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":52},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":16,\"x\":24,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":0,\"y\":76},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":24,\"y\":76},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":100},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":24,\"y\":100},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"28\",\"panelRefName\":\"panel_28\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":8,\"x\":40,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"30\",\"w\":8,\"x\":16,\"y\":28},\"panelIndex\":\"30\",\"panelRefName\":\"panel_30\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"31\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"31\",\"panelRefName\":\"panel_31\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"34\",\"w\":24,\"x\":24,\"y\":116},\"panelIndex\":\"34\",\"panelRefName\":\"panel_34\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"35\",\"w\":24,\"x\":0,\"y\":116},\"panelIndex\":\"35\",\"panelRefName\":\"panel_35\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"38\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"38\",\"panelRefName\":\"panel_38\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"42\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"42\",\"panelRefName\":\"panel_42\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"44\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"44\",\"panelRefName\":\"panel_44\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"45\",\"w\":24,\"x\":0,\"y\":68},\"panelIndex\":\"45\",\"panelRefName\":\"panel_45\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"47\",\"w\":24,\"x\":24,\"y\":68},\"panelIndex\":\"47\",\"panelRefName\":\"panel_47\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"48\",\"w\":8,\"x\":16,\"y\":52},\"panelIndex\":\"48\",\"panelRefName\":\"panel_48\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"49\",\"w\":8,\"x\":40,\"y\":52},\"panelIndex\":\"49\",\"panelRefName\":\"panel_49\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"50\",\"w\":8,\"x\":40,\"y\":76},\"panelIndex\":\"50\",\"panelRefName\":\"panel_50\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"51\",\"w\":8,\"x\":40,\"y\":100},\"panelIndex\":\"51\",\"panelRefName\":\"panel_51\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"52\",\"w\":8,\"x\":16,\"y\":100},\"panelIndex\":\"52\",\"panelRefName\":\"panel_52\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"53\",\"w\":8,\"x\":16,\"y\":76},\"panelIndex\":\"53\",\"panelRefName\":\"panel_53\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Traffic Analysis", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-38012abe-c611-4124-8497-381fcd85acc8", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", + "name": "20:panel_20", + "type": "visualization" + }, + { + "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", + "name": "21:panel_21", + "type": "visualization" + }, + { + "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", + "name": "22:panel_22", + "type": "visualization" + }, + { + "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", + "name": "23:panel_23", + "type": "visualization" + }, + { + "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", + "name": "24:panel_24", + "type": "visualization" + }, + { + "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", + "name": "25:panel_25", + "type": "visualization" + }, + { + "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", + "name": "26:panel_26", + "type": "visualization" + }, + { + "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", + "name": "27:panel_27", + "type": "visualization" + }, + { + "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", + "name": "28:panel_28", + "type": "visualization" + }, + { + "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", + "name": "29:panel_29", + "type": "visualization" + }, + { + "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", + "name": "30:panel_30", + "type": "visualization" + }, + { + "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", + "name": "31:panel_31", + "type": "visualization" + }, + { + "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", + "name": "34:panel_34", + "type": "visualization" + }, + { + "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", + "name": "35:panel_35", + "type": "visualization" + }, + { + "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", + "name": "38:panel_38", + "type": "visualization" + }, + { + "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", + "name": "42:panel_42", + "type": "visualization" + }, + { + "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", + "name": "44:panel_44", + "type": "visualization" + }, + { + "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", + "name": "45:panel_45", + "type": "visualization" + }, + { + "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", + "name": "47:panel_47", + "type": "visualization" + }, + { + "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", + "name": "48:panel_48", + "type": "visualization" + }, + { + "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", + "name": "49:panel_49", + "type": "visualization" + }, + { + "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", + "name": "50:panel_50", + "type": "visualization" + }, + { + "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", + "name": "51:panel_51", + "type": "visualization" + }, + { + "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", + "name": "52:panel_52", + "type": "visualization" + }, + { + "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", + "name": "53:panel_53", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json new file mode 100755 index 0000000000..8e2e71878d --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "Netflow geo location", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":{\"query\":\"netflow.log\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"9afd9bfb-ab56-4bc3-a8c6-e412c1bc7f24\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"85982ce7-be78-44ec-a692-96c118b3a187\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Destination Geo Location Heatmap [Logs Netflow]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"6972252f-e3a3-4886-abfb-bea957bc1c73\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Geo Location Heatmap [Logs Netflow]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"w\":32,\"x\":16,\"y\":4},\"panelIndex\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Geo Location", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-77326664-23be-4bf1-a126-6d7e60cfc024", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "20:panel_20", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "41aa0e4c-7e76-4715-bf20-c756e74ffe02:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json new file mode 100755 index 0000000000..8ffb5c9326 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "Netflow flow records", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":36,\"x\":12,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"network.transport\",\"network.bytes\",\"network.packets\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Flow records", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-94972700-de4a-4272-9143-2fa8d4981365", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", + "name": "5:panel_5", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json new file mode 100755 index 0000000000..273f679d05 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "Netflow conversation partners", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Conversation Partners", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-acd7a630-0c71-4840-bc9e-4a3801374a32", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "5:panel_5", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json new file mode 100755 index 0000000000..a900f7c546 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "Autonomous systems Netflow", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Autonomous Systems", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-c64665f9-d222-421e-90b0-c7310d944b8a", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", + "name": "8:panel_8", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json b/packages/netflow/2.0.1/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json new file mode 100755 index 0000000000..9496b56018 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "Netflow exporters", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Flow Exporters", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", + "name": "10:panel_10", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json b/packages/netflow/2.0.1/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json new file mode 100755 index 0000000000..4ed0aa06f5 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "network.transport", + "network.bytes", + "network.packets" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"netflow.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Flow Records [Logs Netflow]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json b/packages/netflow/2.0.1/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json new file mode 100755 index 0000000000..8bfe0f24fd --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLAN Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"VLANs\",\"field\":\"netflow.vlan_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"VLAN Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json b/packages/netflow/2.0.1/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json new file mode 100755 index 0000000000..4edc81efd4 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Autonomous Systems [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Autonomous Systems [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json b/packages/netflow/2.0.1/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json new file mode 100755 index 0000000000..4283ed8398 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json b/packages/netflow/2.0.1/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json new file mode 100755 index 0000000000..d3cd03e5fd --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json b/packages/netflow/2.0.1/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json new file mode 100755 index 0000000000..50ca670a97 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json b/packages/netflow/2.0.1/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json new file mode 100755 index 0000000000..07d1ebeea9 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Ingress Interfaces (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Ingress Interface\",\"field\":\"netflow.ingress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Ingress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json b/packages/netflow/2.0.1/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json new file mode 100755 index 0000000000..3f2413b575 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Sources [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Sources [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json b/packages/netflow/2.0.1/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json new file mode 100755 index 0000000000..f8800be221 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources and Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json b/packages/netflow/2.0.1/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json new file mode 100755 index 0000000000..185796e6a0 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLANs (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json b/packages/netflow/2.0.1/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json new file mode 100755 index 0000000000..2be98aa7d5 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "City Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cities\",\"field\":\"destination.geo.city_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"City Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json b/packages/netflow/2.0.1/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json new file mode 100755 index 0000000000..5d2741d0ea --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Ingress Interfaces (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json b/packages/netflow/2.0.1/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json new file mode 100755 index 0000000000..8089613edd --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Types of Service (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type of Service\",\"field\":\"netflow.ip_class_of_service\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json b/packages/netflow/2.0.1/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json new file mode 100755 index 0000000000..36dd644fb6 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Cities (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json b/packages/netflow/2.0.1/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json new file mode 100755 index 0000000000..6e319d2ee8 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Ports (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json b/packages/netflow/2.0.1/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json new file mode 100755 index 0000000000..38d938c712 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries and Cities (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json b/packages/netflow/2.0.1/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json new file mode 100755 index 0000000000..0b978a1c6b --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json b/packages/netflow/2.0.1/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json new file mode 100755 index 0000000000..18a1464367 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Protocols [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Protocols [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json b/packages/netflow/2.0.1/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json new file mode 100755 index 0000000000..f735f227fc --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"TCP Flag States\",\"field\":\"netflow.tcp_control_bits\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"TCP Flags Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json b/packages/netflow/2.0.1/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json new file mode 100755 index 0000000000..bbff9003ca --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous Systems (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json b/packages/netflow/2.0.1/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json new file mode 100755 index 0000000000..4ab3ca80e4 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Exporters (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json b/packages/netflow/2.0.1/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json new file mode 100755 index 0000000000..08d9c2dafa --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Destination Ports [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destination Ports [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json b/packages/netflow/2.0.1/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json new file mode 100755 index 0000000000..b34bb34cac --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json b/packages/netflow/2.0.1/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json new file mode 100755 index 0000000000..ca56e99437 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Ports (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json b/packages/netflow/2.0.1/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json new file mode 100755 index 0000000000..59778d4915 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Version (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Version (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json b/packages/netflow/2.0.1/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json new file mode 100755 index 0000000000..b12c7d2621 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json b/packages/netflow/2.0.1/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json new file mode 100755 index 0000000000..2a58338da7 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Exporters (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json b/packages/netflow/2.0.1/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json new file mode 100755 index 0000000000..de5cb96164 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Egress Interfaces (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Egress Interface\",\"field\":\"netflow.egress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Egress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json b/packages/netflow/2.0.1/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json new file mode 100755 index 0000000000..42c5ea60ea --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Records [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timeline\",\"extended_bounds\":{},\"field\":\"event.end\",\"interval\":\"s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Flow Records\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json b/packages/netflow/2.0.1/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json new file mode 100755 index 0000000000..def8920024 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Cities [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":true,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Cities [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json b/packages/netflow/2.0.1/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json new file mode 100755 index 0000000000..9de72f30b5 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Destinations [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destinations [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json b/packages/netflow/2.0.1/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json new file mode 100755 index 0000000000..7e811e1ea3 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TCP Flags\",\"field\":\"netflow.tcp_control_bits\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":255},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json b/packages/netflow/2.0.1/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json new file mode 100755 index 0000000000..1cb0ac07fd --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries and Cities (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json b/packages/netflow/2.0.1/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json new file mode 100755 index 0000000000..552f9ceaf6 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json b/packages/netflow/2.0.1/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json new file mode 100755 index 0000000000..1a237de283 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json b/packages/netflow/2.0.1/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json new file mode 100755 index 0000000000..6c3e1b32bd --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Country Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Countries\",\"field\":\"destination.geo.country_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Country Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json b/packages/netflow/2.0.1/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json new file mode 100755 index 0000000000..c4b788481c --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations and Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json b/packages/netflow/2.0.1/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json new file mode 100755 index 0000000000..e185a6934d --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json b/packages/netflow/2.0.1/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json new file mode 100755 index 0000000000..f420f9b844 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json b/packages/netflow/2.0.1/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json new file mode 100755 index 0000000000..da2f83b090 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Types of Service (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json b/packages/netflow/2.0.1/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json new file mode 100755 index 0000000000..c9b9434535 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json b/packages/netflow/2.0.1/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json new file mode 100755 index 0000000000..5170f89858 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Cities (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json b/packages/netflow/2.0.1/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json new file mode 100755 index 0000000000..e10072db9a --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLANs (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"VLAN\",\"field\":\"netflow.vlan_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json b/packages/netflow/2.0.1/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json new file mode 100755 index 0000000000..4d61c728ef --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Egress Interfaces (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json b/packages/netflow/2.0.1/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json new file mode 100755 index 0000000000..d3bba7450d --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json b/packages/netflow/2.0.1/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json new file mode 100755 index 0000000000..305b1cbe98 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json b/packages/netflow/2.0.1/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json new file mode 100755 index 0000000000..9fd050b6f2 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Types of Service (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json b/packages/netflow/2.0.1/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json new file mode 100755 index 0000000000..fff9d9fbb7 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLANs (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json b/packages/netflow/2.0.1/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json new file mode 100755 index 0000000000..d5430f2886 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Cities (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json b/packages/netflow/2.0.1/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json new file mode 100755 index 0000000000..e67336cb81 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json b/packages/netflow/2.0.1/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json new file mode 100755 index 0000000000..11c13cd5af --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "IP Version and Protocols (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Version\",\"field\":\"network.type\",\"missingBucket\":true,\"missingBucketLabel\":\"unset ip version\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"sum\",\"format\":{\"id\":\"bytes\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"IP Version and Protocols (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json b/packages/netflow/2.0.1/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json new file mode 100755 index 0000000000..0cb598214c --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations and Sources (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json b/packages/netflow/2.0.1/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json new file mode 100755 index 0000000000..4687a20531 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Port Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Destination Port Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json b/packages/netflow/2.0.1/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json new file mode 100755 index 0000000000..b966d64753 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Locality (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locality\",\"field\":\"flow.locality\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Locality (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json b/packages/netflow/2.0.1/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json new file mode 100755 index 0000000000..1eceb9a616 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Direction (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Direction\",\"field\":\"network.direction\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Direction (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json b/packages/netflow/2.0.1/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json new file mode 100755 index 0000000000..a0b7c0c1c2 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Records [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json b/packages/netflow/2.0.1/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json new file mode 100755 index 0000000000..878b1708d1 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination and Source Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json b/packages/netflow/2.0.1/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json new file mode 100755 index 0000000000..2a6ad569d2 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Flow Exporters [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Flow Exporters [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json b/packages/netflow/2.0.1/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json new file mode 100755 index 0000000000..743e1dfb17 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json b/packages/netflow/2.0.1/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json new file mode 100755 index 0000000000..979ae6b817 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Autonomous Systems (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json b/packages/netflow/2.0.1/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json new file mode 100755 index 0000000000..c6f2374192 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Ingress Interfaces (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json b/packages/netflow/2.0.1/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json new file mode 100755 index 0000000000..79287a5688 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json b/packages/netflow/2.0.1/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json new file mode 100755 index 0000000000..80858ba78a --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Dashboard Navigation [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Overview](#/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2) | [Conversation Partners](#/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32) | [Traffic Analysis](#/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8) | [Top-N](#/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c) | [Geo Location](#/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024) | [Autonomous Systems](#/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a) | [Flow Exporters](#/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425) | [Raw Flow Records](#/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365)\\n***\"},\"title\":\"Dashboard Navigation [Logs Netflow]\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json b/packages/netflow/2.0.1/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json new file mode 100755 index 0000000000..31ce08b895 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous System Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Autonomous Systems\",\"field\":\"destination.as.organization.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Autonomous System Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json b/packages/netflow/2.0.1/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json new file mode 100755 index 0000000000..2966189f54 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json b/packages/netflow/2.0.1/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json new file mode 100755 index 0000000000..e443df12d7 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Port Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Ports\",\"field\":\"source.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Port Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json b/packages/netflow/2.0.1/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json new file mode 100755 index 0000000000..d2c4ad8355 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations and Sources (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json b/packages/netflow/2.0.1/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json new file mode 100755 index 0000000000..497a4ccbfb --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Count [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"fontSize\":\"32\",\"handleNoResults\":true},\"title\":\"Destination Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json b/packages/netflow/2.0.1/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json new file mode 100755 index 0000000000..60c450cad9 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Source Ports [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Source Ports [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json b/packages/netflow/2.0.1/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json new file mode 100755 index 0000000000..510bd9c74c --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Conversation Partners [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Conversation Partners [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json new file mode 100755 index 0000000000..75c6397b07 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "ToS Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Types of Service\",\"field\":\"netflow.ip_class_of_service\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"ToS Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85.json new file mode 100755 index 0000000000..5d555b8534 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85.json @@ -0,0 +1,21 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Geo Location Heatmap [Logs Netflow]", + "uiStateJSON": "{\"mapCenter\":[8.407168163601076,9.4921875]}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Location\",\"field\":\"destination.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":\"16\",\"heatMaxZoom\":16,\"heatMinOpacity\":\"0.32\",\"heatNormalizeData\":true,\"heatRadius\":\"24\",\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Destination Geo Location Heatmap [Logs Netflow]\",\"type\":\"tile_map\"}" + }, + "id": "netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json new file mode 100755 index 0000000000..dcd2f36948 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination and Source Ports (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json new file mode 100755 index 0000000000..19567eb0c0 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json new file mode 100755 index 0000000000..8ba248d484 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Autonomous Systems (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json new file mode 100755 index 0000000000..f92dadbfe2 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json new file mode 100755 index 0000000000..55a143a303 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination and Source ASs (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination AS\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source AS\",\"field\":\"source.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source ASs (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json b/packages/netflow/2.0.1/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json new file mode 100755 index 0000000000..d810abfa5a --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Egress Interfaces (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json b/packages/netflow/2.0.1/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json new file mode 100755 index 0000000000..8e5d47ad63 --- /dev/null +++ b/packages/netflow/2.0.1/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.0.1/manifest.yml b/packages/netflow/2.0.1/manifest.yml new file mode 100755 index 0000000000..092fa3f54e --- /dev/null +++ b/packages/netflow/2.0.1/manifest.yml @@ -0,0 +1,23 @@ +format_version: 1.0.0 +name: netflow +title: NetFlow Records +version: 2.0.1 +license: basic +description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: ^8.0.0 +policy_templates: + - name: netflow + title: NetFlow logs + description: Collect Netflow logs from networks via UDP + inputs: + - type: netflow + title: Collect NetFlow logs + description: Collecting NetFlow logs using the netflow input +owner: + github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.0.1/changelog.yml b/packages/network_traffic/1.0.1/changelog.yml new file mode 100755 index 0000000000..0e42de3f49 --- /dev/null +++ b/packages/network_traffic/1.0.1/changelog.yml @@ -0,0 +1,129 @@ +# newer versions go on top +- version: "1.0.1" + changes: + - description: Remove invalid value from `event.category`. + type: bugfix + link: https://github.com/elastic/integrations/pull/3384 +- version: "1.0.0" + changes: + - description: Release as GA. + type: enhancement + link: https://github.com/elastic/integrations/pull/3355 +- version: "0.10.1" + changes: + - description: Remove invalid value from `event.category` in SIP data set. + type: bugfix + link: https://github.com/elastic/integrations/pull/3343 +- version: "0.10.0" + changes: + - description: Add configuration options for each protocol. + type: enhancement + link: https://github.com/elastic/integrations/pull/3157 +- version: "0.9.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "0.8.2" + changes: + - description: Add missing field mappings to DNS and TLS data streams. + type: bugfix + link: https://github.com/elastic/integrations/pull/3078 +- version: "0.8.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.8.0" + changes: + - description: Change release stability to beta. + type: enhancement + link: https://github.com/elastic/integrations/pull/2793 +- version: "0.7.1" + changes: + - description: Fix mapping for tls.detailed.client_certificate_chain. + type: bugfix + link: https://github.com/elastic/integrations/pull/2793 +- version: "0.7.0" + changes: + - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/2762 +- version: "0.6.3" + changes: + - description: Add license note to README. + type: bugfix + link: https://github.com/elastic/integrations/pull/2809 +- version: "0.6.2" + changes: + - description: Add fields for TLS random data and OCSP status. + type: enhancement + link: https://github.com/elastic/integrations/pull/2703 +- version: "0.6.1" + changes: + - description: Remove unused field metadata. + type: enhancement + link: https://github.com/elastic/integrations/pull/2648 +- version: "0.6.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2426 +- version: "0.5.1" + changes: + - description: Fix mapping for tls.detailed.server_certificate_chain + type: bugfix + link: https://github.com/elastic/integrations/pull/2517 +- version: "0.5.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2224 +- version: "0.4.2" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2097 +- version: "0.4.1" + changes: + - description: Update Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1975 +- version: "0.4.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1669 +- version: "0.3.0" + changes: + - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/1764 +- version: "0.2.2" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.2.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.2.0" + changes: + - description: Update documentation to fit mdx spec + type: enhancement + link: https://github.com/elastic/integrations/pull/1401 +- version: "0.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.0.1/data_stream/amqp/agent/stream/amqp.yml.hbs new file mode 100755 index 0000000000..22fb1883a0 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/agent/stream/amqp.yml.hbs @@ -0,0 +1,49 @@ +type: amqp +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if max_body_length}} +max_body_length: {{max_body_length}} +{{/if}} +{{#if parse_headers}} +parse_headers: {{parse_headers}} +{{/if}} +{{#if parse_arguments}} +parse_arguments: {{parse_arguments}} +{{/if}} +{{#if hide_connection_information}} +hide_connection_information: {{hide_connection_information}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..dd8f95ef44 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing amqp traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/ecs.yml new file mode 100755 index 0000000000..da1822dec9 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/fields/ecs.yml @@ -0,0 +1,128 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/protocol.yml new file mode 100755 index 0000000000..4b87cf176c --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/fields/protocol.yml @@ -0,0 +1,202 @@ +- name: amqp + type: group + fields: + - name: reply-code + type: long + description: > + AMQP reply code to an error, similar to http reply-code + + example: 404 + - name: reply-text + type: keyword + description: > + Text explaining the error. + + - name: class-id + type: long + description: > + Failing method class. + + - name: method-id + type: long + description: > + Failing method ID. + + - name: exchange + type: keyword + description: > + Name of the exchange. + + - name: exchange-type + type: keyword + description: > + Exchange type. + + example: fanout + - name: passive + type: boolean + description: > + If set, do not create exchange/queue. + + - name: durable + type: boolean + description: > + If set, request a durable exchange/queue. + + - name: exclusive + type: boolean + description: > + If set, request an exclusive queue. + + - name: auto-delete + type: boolean + description: > + If set, auto-delete queue when unused. + + - name: no-wait + type: boolean + description: > + If set, the server will not respond to the method. + + - name: consumer-tag + type: keyword + description: > + Identifier for the consumer, valid within the current channel. + + - name: delivery-tag + type: long + description: > + The server-assigned and channel-specific delivery tag. + + - name: message-count + type: long + description: > + The number of messages in the queue, which will be zero for newly-declared queues. + + - name: consumer-count + type: long + description: > + The number of consumers of a queue. + + - name: routing-key + type: keyword + description: > + Message routing key. + + - name: no-ack + type: boolean + description: > + If set, the server does not expect acknowledgements for messages. + + - name: no-local + type: boolean + description: > + If set, the server will not send messages to the connection that published them. + + - name: if-unused + type: boolean + description: > + Delete only if unused. + + - name: if-empty + type: boolean + description: > + Delete only if empty. + + - name: queue + type: keyword + description: > + The queue name identifies the queue within the vhost. + + - name: redelivered + type: boolean + description: > + Indicates that the message has been previously delivered to this or another client. + + - name: multiple + type: boolean + description: > + Acknowledge multiple messages. + + - name: arguments + type: object + description: > + Optional additional arguments passed to some methods. Can be of various types. + + - name: mandatory + type: boolean + description: > + Indicates mandatory routing. + + - name: immediate + type: boolean + description: > + Request immediate delivery. + + - name: content-type + type: keyword + description: > + MIME content type. + + example: text/plain + - name: content-encoding + type: keyword + description: > + MIME content encoding. + + - name: headers + type: object + object_type: keyword + description: > + Message header field table. + + - name: delivery-mode + type: keyword + description: > + Non-persistent (1) or persistent (2). + + - name: priority + type: long + description: > + Message priority, 0 to 9. + + - name: correlation-id + type: keyword + description: > + Application correlation identifier. + + - name: reply-to + type: keyword + description: > + Address to reply to. + + - name: expiration + type: keyword + description: > + Message expiration specification. + + - name: message-id + type: keyword + description: > + Application message identifier. + + - name: timestamp + type: keyword + description: > + Message timestamp. + + - name: type + type: keyword + description: > + Message type name. + + - name: user-id + type: keyword + description: > + Creating user id. + + - name: app-id + type: keyword + description: > + Creating application id. + diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/manifest.yml b/packages/network_traffic/1.0.1/data_stream/amqp/manifest.yml new file mode 100755 index 0000000000..392448511a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/manifest.yml @@ -0,0 +1,105 @@ +title: AMQP +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [5672] + - name: max_body_length + type: integer + title: Max Body Length + description: |- + Truncate messages that are published and avoid huge messages being + indexed. + Default: 1000 + show_user: false + multi: false + required: false + - name: parse_headers + type: bool + title: Parse Headers + description: |- + Hide the header fields in header frames. + Default: false + show_user: false + multi: false + required: false + - name: parse_arguments + type: bool + title: Parse Arguments + description: |- + Hide the additional arguments of method frames. + Default: false + show_user: false + multi: false + required: false + - name: hide_connection_information + type: bool + title: Hide Connection Information + description: |- + Hide all methods relative to connection negotiation between server and + client. + Default: true + show_user: false + multi: false + required: false + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: AMQP + description: Capture AMQP Traffic + template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/sample_event.json b/packages/network_traffic/1.0.1/data_stream/amqp/sample_event.json new file mode 100755 index 0000000000..9ef02f389f --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/amqp/sample_event.json @@ -0,0 +1,107 @@ +{ + "@timestamp": "2022-03-09T07:37:02.033Z", + "agent": { + "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "amqp": { + "auto-delete": false, + "consumer-count": 0, + "durable": false, + "exclusive": false, + "message-count": 0, + "no-wait": false, + "passive": false, + "queue": "hello" + }, + "client": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 34222 + }, + "data_stream": { + "dataset": "network_traffic.amqp", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 26, + "ip": "127.0.0.1", + "port": 5672 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "amqp.queue.declare", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.amqp", + "duration": 1325900, + "end": "2022-03-09T07:37:02.035Z", + "ingested": "2022-03-09T07:37:03Z", + "kind": "event", + "start": "2022-03-09T07:37:02.033Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "queue.declare", + "network": { + "bytes": 51, + "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", + "direction": "ingress", + "protocol": "amqp", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 26, + "ip": "127.0.0.1", + "port": 5672 + }, + "source": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 34222 + }, + "status": "OK", + "type": "amqp" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.0.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs new file mode 100755 index 0000000000..9c4ec167d1 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs @@ -0,0 +1,49 @@ +type: cassandra +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_request_header}} +send_request_header: {{send_request_header}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if send_response_header}} +send_response_header: {{send_response_header}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if compressor}} +compressor: {{compressor}} +{{/if}} +{{#if ignored_ops}} +ignored_ops: +{{#each ignored_ops as |ignored_op|}} + - {{ignored_op}} +{{/each}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..2860fd7f9e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing cassandra traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/protocol.yml new file mode 100755 index 0000000000..58a2f6c12d --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/protocol.yml @@ -0,0 +1,283 @@ +- name: cassandra + type: group + description: Information about the Cassandra request and response. + fields: + - name: no_request + type: boolean + description: > + Indicates that there is no request because this is a PUSH message. + + - name: request + type: group + description: Cassandra request. + fields: + - name: headers + type: group + description: Cassandra request headers. + fields: + - name: version + type: keyword + description: The version of the protocol. + - name: flags + type: keyword + description: Flags applying to this frame. + - name: stream + type: keyword + description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. + - name: op + type: keyword + description: An operation type that distinguishes the actual message. + - name: length + type: long + description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). + - name: query + type: keyword + description: The CQL query which client send to cassandra. + - name: response + type: group + description: Cassandra response. + fields: + - name: headers + type: group + description: Cassandra response headers, the structure is as same as request's header. + fields: + - name: version + type: keyword + description: The version of the protocol. + - name: flags + type: keyword + description: Flags applying to this frame. + - name: stream + type: keyword + description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. + - name: op + type: keyword + description: An operation type that distinguishes the actual message. + - name: length + type: long + description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). + - name: result + type: group + description: Details about the returned result. + fields: + - name: type + type: keyword + description: Cassandra result type. + - name: rows + type: group + description: Details about the rows. + fields: + - name: num_rows + type: long + description: Representing the number of rows present in this result. + - name: meta + type: group + description: Composed of result metadata. + fields: + - name: keyspace + type: keyword + description: Only present after set Global_tables_spec, the keyspace name. + - name: table + type: keyword + description: Only present after set Global_tables_spec, the table name. + - name: flags + type: keyword + description: Provides information on the formatting of the remaining information. + - name: col_count + type: long + description: Representing the number of columns selected by the query that produced this result. + - name: pkey_columns + type: long + description: Representing the PK columns index and counts. + - name: paging_state + type: keyword + description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. + - name: keyspace + type: keyword + description: Indicating the name of the keyspace that has been set. + - name: schema_change + type: group + description: The result to a schema_change message. + fields: + - name: change + type: keyword + description: Representing the type of changed involved. + - name: keyspace + type: keyword + description: This describes which keyspace has changed. + - name: table + type: keyword + description: This describes which table has changed. + - name: object + type: keyword + description: This describes the name of said affected object (either the table, user type, function, or aggregate name). + - name: target + type: keyword + description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. + - name: name + type: keyword + description: The function/aggregate name. + - name: args + type: keyword + description: One string for each argument type (as CQL type). + - name: prepared + type: group + description: The result to a PREPARE message. + fields: + - name: prepared_id + type: keyword + description: Representing the prepared query ID. + - name: req_meta + type: group + description: This describes the request metadata. + fields: + - name: keyspace + type: keyword + description: Only present after set Global_tables_spec, the keyspace name. + - name: table + type: keyword + description: Only present after set Global_tables_spec, the table name. + - name: flags + type: keyword + description: Provides information on the formatting of the remaining information. + - name: col_count + type: long + description: Representing the number of columns selected by the query that produced this result. + - name: pkey_columns + type: long + description: Representing the PK columns index and counts. + - name: paging_state + type: keyword + description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. + - name: resp_meta + type: group + description: This describes the metadata for the result set. + fields: + - name: keyspace + type: keyword + description: Only present after set Global_tables_spec, the keyspace name. + - name: table + type: keyword + description: Only present after set Global_tables_spec, the table name. + - name: flags + type: keyword + description: Provides information on the formatting of the remaining information. + - name: col_count + type: long + description: Representing the number of columns selected by the query that produced this result. + - name: pkey_columns + type: long + description: Representing the PK columns index and counts. + - name: paging_state + type: keyword + description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. + - name: supported + type: flattened + description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. + - name: authentication + type: group + description: Indicates that the server requires authentication, and which authentication mechanism to use. + fields: + - name: class + type: keyword + description: Indicates the full class name of the IAuthenticator in use + - name: warnings + type: keyword + description: The text of the warnings, only occur when Warning flag was set. + - name: event + type: group + description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. + fields: + - name: type + type: keyword + description: Representing the event type. + - name: change + type: keyword + description: The message corresponding respectively to the type of change followed by the address of the new/removed node. + - name: host + type: keyword + description: Representing the node ip. + - name: port + type: long + description: Representing the node port. + - name: schema_change + type: group + description: The events details related to schema change. + fields: + - name: change + type: keyword + description: Representing the type of changed involved. + - name: keyspace + type: keyword + description: This describes which keyspace has changed. + - name: table + type: keyword + description: This describes which table has changed. + - name: object + type: keyword + description: This describes the name of said affected object (either the table, user type, function, or aggregate name). + - name: target + type: keyword + description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. + - name: name + type: keyword + description: The function/aggregate name. + - name: args + type: keyword + description: One string for each argument type (as CQL type). + - name: error + type: group + description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. + fields: + - name: code + type: long + description: The error code of the Cassandra response. + - name: msg + type: keyword + description: The error message of the Cassandra response. + - name: type + type: keyword + description: The error type of the Cassandra response. + - name: details + type: group + description: The details of the error. + fields: + - name: read_consistency + type: keyword + description: Representing the consistency level of the query that triggered the exception. + - name: required + type: long + description: Representing the number of nodes that should be alive to respect consistency level. + - name: alive + type: long + description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). + - name: received + type: long + description: Representing the number of nodes having acknowledged the request. + - name: blockfor + type: long + description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. + - name: write_type + type: keyword + description: Describe the type of the write that timed out. + - name: data_present + type: boolean + description: It means the replica that was asked for data had responded. + - name: keyspace + type: keyword + description: The keyspace of the failed function. + - name: table + type: keyword + description: The keyspace of the failed function. + - name: stmt_id + type: keyword + description: Representing the unknown ID. + - name: num_failures + type: keyword + description: Representing the number of nodes that experience a failure while executing the request. + - name: function + type: keyword + description: The name of the failed function. + - name: arg_types + type: keyword + description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/manifest.yml new file mode 100755 index 0000000000..b05f2d1e4e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/manifest.yml @@ -0,0 +1,92 @@ +title: Cassandra +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [9042] + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`cassandra_request` field) + is included in published events. The default is true. + show_user: false + multi: false + required: false + - name: send_request_header + type: bool + title: Send Request Header + description: |- + If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) + is included in published events. The default is true. enable `send_request` first before enable this option. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`cassandra_response` field) + is included in published events. The default is true. + show_user: false + multi: false + required: false + - name: send_response_header + type: bool + title: Send Response Header + description: |- + If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) + is included in published events. The default is true. enable `send_response` first before enable this option. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: compressor + type: text + title: Compressor + description: |- + Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. + By default no compressor is configured. + show_user: false + multi: false + required: false + - name: ignored_ops + type: text + title: Ignored Ops + description: This option indicates which Operator/Operators will be ignored. + show_user: false + multi: true + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: Cassandra + description: Capture Cassandra Traffic + template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.0.1/data_stream/cassandra/sample_event.json new file mode 100755 index 0000000000..aa2d587c11 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/cassandra/sample_event.json @@ -0,0 +1,125 @@ +{ + "@timestamp": "2022-03-09T07:43:05.888Z", + "agent": { + "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "cassandra": { + "request": { + "headers": { + "flags": "Default", + "length": 98, + "op": "QUERY", + "stream": 49, + "version": "4" + }, + "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" + }, + "response": { + "headers": { + "flags": "Default", + "length": 39, + "op": "RESULT", + "stream": 49, + "version": "4" + }, + "result": { + "schema_change": { + "change": "CREATED", + "keyspace": "mykeyspace", + "object": "users", + "target": "TABLE" + }, + "type": "schemaChanged" + } + } + }, + "client": { + "bytes": 107, + "ip": "127.0.0.1", + "port": 52749 + }, + "data_stream": { + "dataset": "network_traffic.cassandra", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 48, + "ip": "127.0.0.1", + "port": 9042 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.cassandra", + "duration": 131589500, + "end": "2022-03-09T07:43:06.019Z", + "ingested": "2022-03-09T07:43:09Z", + "kind": "event", + "start": "2022-03-09T07:43:05.888Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "network": { + "bytes": 155, + "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", + "direction": "ingress", + "protocol": "cassandra", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 48, + "ip": "127.0.0.1", + "port": 9042 + }, + "source": { + "bytes": 107, + "ip": "127.0.0.1", + "port": 52749 + }, + "status": "OK", + "type": "cassandra" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.0.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs new file mode 100755 index 0000000000..2c56638255 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs @@ -0,0 +1,28 @@ +type: dhcpv4 +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..a0f2d285e8 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,54 @@ +--- +description: Pipeline for processing dhcpv4 traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: dhcpv4.client_mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: dhcpv4.client_mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: dhcpv4.client_mac + ignore_missing: true +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/protocol.yml new file mode 100755 index 0000000000..0180691a5b --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/protocol.yml @@ -0,0 +1,177 @@ +- name: dhcpv4 + type: group + fields: + - name: transaction_id + type: keyword + description: | + Transaction ID, a random number chosen by the + client, used by the client and server to associate + messages and responses between a client and a + server. + - name: seconds + type: long + description: | + Number of seconds elapsed since client began address acquisition or + renewal process. + - name: flags + type: keyword + description: | + Flags are set by the client to indicate how the DHCP server should + its reply -- either unicast or broadcast. + - name: client_ip + type: ip + description: The current IP address of the client. + - name: assigned_ip + type: ip + description: | + The IP address that the DHCP server is assigning to the client. + This field is also known as "your" IP address. + - name: server_ip + type: ip + description: | + The IP address of the DHCP server that the client should use for the + next step in the bootstrap process. + - name: relay_ip + type: ip + description: | + The relay IP address used by the client to contact the server + (i.e. a DHCP relay server). + - name: client_mac + type: keyword + description: The client's MAC address (layer two). + - name: server_name + type: keyword + description: | + The name of the server sending the message. Optional. Used in + DHCPOFFER or DHCPACK messages. + - name: op_code + type: keyword + example: bootreply + description: | + The message op code (bootrequest or bootreply). + - name: hops + type: long + description: The number of hops the DHCP message went through. + - name: hardware_type + type: keyword + description: | + The type of hardware used for the local network (Ethernet, + LocalTalk, etc). + - name: option + type: group + fields: + - name: message_type + type: keyword + example: ack + description: | + The specific type of DHCP message being sent (e.g. discover, + offer, request, decline, ack, nak, release, inform). + - name: parameter_request_list + type: keyword + description: | + This option is used by a DHCP client to request values for + specified configuration parameters. + - name: requested_ip_address + type: ip + description: | + This option is used in a client request (DHCPDISCOVER) to allow + the client to request that a particular IP address be assigned. + - name: server_identifier + type: ip + description: | + IP address of the individual DHCP server which handled this + message. + - name: broadcast_address + type: ip + description: | + This option specifies the broadcast address in use on the + client's subnet. + - name: max_dhcp_message_size + type: long + description: | + This option specifies the maximum length DHCP message that the + client is willing to accept. + - name: class_identifier + type: keyword + description: | + This option is used by DHCP clients to optionally identify the + vendor type and configuration of a DHCP client. Vendors may + choose to define specific vendor class identifiers to convey + particular configuration or other identification information + about a client. For example, the identifier may encode the + client's hardware configuration. + - name: domain_name + type: keyword + description: | + This option specifies the domain name that client should use + when resolving hostnames via the Domain Name System. + - name: dns_servers + type: ip + description: | + The domain name server option specifies a list of Domain Name + System servers available to the client. + - name: vendor_identifying_options + type: object + description: | + A DHCP client may use this option to unambiguously identify the + vendor that manufactured the hardware on which the client is + running, the software in use, or an industry consortium to which + the vendor belongs. This field is described in RFC 3925. + - name: subnet_mask + type: ip + description: | + The subnet mask that the client should use on the currnet + network. + - name: utc_time_offset_sec + type: long + description: | + The time offset field specifies the offset of the client's + subnet in seconds from Coordinated Universal Time (UTC). + - name: router + type: ip + description: | + The router option specifies a list of IP addresses for routers + on the client's subnet. + - name: time_servers + type: ip + description: | + The time server option specifies a list of RFC 868 time servers + available to the client. + - name: ntp_servers + type: ip + description: | + This option specifies a list of IP addresses indicating NTP + servers available to the client. + - name: hostname + type: keyword + description: | + This option specifies the name of the client. + - name: ip_address_lease_time_sec + type: long + description: | + This option is used in a client request (DHCPDISCOVER or + DHCPREQUEST) to allow the client to request a lease time for the + IP address. In a server reply (DHCPOFFER), a DHCP server uses + this option to specify the lease time it is willing to offer. + - name: message + type: text + description: | + This option is used by a DHCP server to provide an error message + to a DHCP client in a DHCPNAK message in the event of a failure. + A client may use this option in a DHCPDECLINE message to + indicate the why the client declined the offered parameters. + - name: renewal_time_sec + type: long + description: | + This option specifies the time interval from address assignment + until the client transitions to the RENEWING state. + - name: rebinding_time_sec + type: long + description: | + This option specifies the time interval from address assignment + until the client transitions to the REBINDING state. + - name: boot_file_name + type: keyword + description: | + This option is used to identify a bootfile when the 'file' field + in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/manifest.yml new file mode 100755 index 0000000000..fc09a92781 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/manifest.yml @@ -0,0 +1,40 @@ +title: DHCP +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [67, 68] + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: DHCP + description: Capture DHCP Traffic + template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.0.1/data_stream/dhcpv4/sample_event.json new file mode 100755 index 0000000000..59ab870695 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dhcpv4/sample_event.json @@ -0,0 +1,111 @@ +{ + "@timestamp": "2022-03-09T07:43:52.712Z", + "agent": { + "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 272, + "ip": "0.0.0.0", + "port": 68 + }, + "data_stream": { + "dataset": "network_traffic.dhcpv4", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "255.255.255.255", + "port": 67 + }, + "dhcpv4": { + "client_mac": "00-0B-82-01-FC-42", + "flags": "unicast", + "hardware_type": "Ethernet", + "hops": 0, + "op_code": "bootrequest", + "option": { + "message_type": "discover", + "parameter_request_list": [ + "Subnet Mask", + "Router", + "Domain Name Server", + "NTP Servers" + ], + "requested_ip_address": "0.0.0.0" + }, + "seconds": 0, + "transaction_id": "0x00003d1d" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.dhcpv4", + "ingested": "2022-03-09T07:43:53Z", + "kind": "event", + "start": "2022-03-09T07:43:52.712Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "network": { + "bytes": 272, + "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", + "direction": "unknown", + "protocol": "dhcpv4", + "transport": "udp", + "type": "ipv4" + }, + "related": { + "ip": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "server": { + "ip": "255.255.255.255", + "port": 67 + }, + "source": { + "bytes": 272, + "ip": "0.0.0.0", + "port": 68 + }, + "status": "OK", + "type": "dhcpv4" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.0.1/data_stream/dns/agent/stream/dns.yml.hbs new file mode 100755 index 0000000000..e68885b2f8 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/agent/stream/dns.yml.hbs @@ -0,0 +1,43 @@ +type: dns +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if include_authorities}} +include_authorities: {{include_authorities}} +{{/if}} +{{#if include_additionals}} +include_additionals: {{include_additionals}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..70d49c51b6 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing dhcpv4 traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/ecs.yml new file mode 100755 index 0000000000..e2ea6f338f --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/fields/ecs.yml @@ -0,0 +1,200 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/protocol.yml new file mode 100755 index 0000000000..28d506b996 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/fields/protocol.yml @@ -0,0 +1,110 @@ +- name: dns + type: group + fields: + - name: flags.authoritative + type: boolean + description: > + A DNS flag specifying that the responding server is an authority for the domain name used in the question. + + - name: flags.recursion_available + type: boolean + description: > + A DNS flag specifying whether recursive query support is available in the name server. + + - name: flags.recursion_desired + type: boolean + description: > + A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. + + - name: flags.authentic_data + type: boolean + description: > + A DNS flag specifying that the recursive server considers the response authentic. + + - name: flags.checking_disabled + type: boolean + description: > + A DNS flag specifying that the client disables the server signature validation of the query. + + - name: flags.truncated_response + type: boolean + description: > + A DNS flag specifying that only the first 512 bytes of the reply were returned. + + - name: question.etld_plus_one + type: keyword + description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. + example: amazon.co.uk. + - name: answers_count + type: long + description: > + The number of resource records contained in the `dns.answers` field. + + - name: authorities + type: object + description: > + An array containing a dictionary for each authority section from the answer. + + - name: authorities_count + type: long + description: > + The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. + + - name: authorities.name + type: keyword + description: The domain name to which this resource record pertains. + example: example.com. + - name: authorities.type + type: keyword + description: The type of data contained in this resource record. + example: NS + - name: authorities.class + type: keyword + description: The class of DNS data contained in this resource record. + example: IN + - name: additionals + type: object + description: > + An array containing a dictionary for each additional section from the answer. + + - name: additionals_count + type: long + description: > + The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. + + - name: additionals.name + type: keyword + description: The domain name to which this resource record pertains. + example: example.com. + - name: additionals.type + type: keyword + description: The type of data contained in this resource record. + example: NS + - name: additionals.class + type: keyword + description: The class of DNS data contained in this resource record. + example: IN + - name: additionals.ttl + description: > + The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + + type: long + - name: additionals.data + type: keyword + description: > + The data describing the resource. The meaning of this data depends on the type and class of the resource record. + + - name: opt.version + type: keyword + description: The EDNS version. + example: "0" + - name: opt.do + type: boolean + description: If set, the transaction uses DNSSEC. + - name: opt.ext_rcode + type: keyword + description: Extended response code field. + example: "BADVERS" + - name: opt.udp_size + type: long + description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.0.1/data_stream/dns/manifest.yml b/packages/network_traffic/1.0.1/data_stream/dns/manifest.yml new file mode 100755 index 0000000000..cc5476bfad --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/manifest.yml @@ -0,0 +1,95 @@ +title: DNS +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [53] + - name: include_authorities + type: bool + title: Include Authorities + description: |- + include_authorities controls whether or not the dns.authorities field + (authority resource records) is added to messages. + Default: false + show_user: false + multi: false + required: false + - name: include_additionals + type: bool + title: Include Additionals + description: |- + include_additionals controls whether or not the dns.additionals field + (additional resource records) is added to messages. + Default: false + show_user: false + multi: false + required: false + - name: send_request + type: bool + title: Send Request + description: |- + send_request controls whether or not the stringified DNS + request messages are added to the result. + Nearly all data about the request/response is available in the dns.* + fields, but this can be useful if you need visibility specifically + into the request or the response. + Default: false + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + send_response controls whether or not the stringified DNS + response messages are added to the result. + Nearly all data about the request/response is available in the dns.* + fields, but this can be useful if you need visibility specifically + into the request or the response. + Default: false + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: DNS + description: Capture DNS Traffic + template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/dns/sample_event.json b/packages/network_traffic/1.0.1/data_stream/dns/sample_event.json new file mode 100755 index 0000000000..476a880555 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/dns/sample_event.json @@ -0,0 +1,158 @@ +{ + "@timestamp": "2022-03-09T07:48:42.751Z", + "agent": { + "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 28, + "ip": "192.168.238.68", + "port": 53765 + }, + "data_stream": { + "dataset": "network_traffic.dns", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 167, + "ip": "8.8.8.8", + "port": 53 + }, + "dns": { + "additionals_count": 0, + "answers": [ + { + "class": "IN", + "data": "ns-1183.awsdns-19.org", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + }, + { + "class": "IN", + "data": "ns-2007.awsdns-58.co.uk", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + }, + { + "class": "IN", + "data": "ns-66.awsdns-08.com", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + }, + { + "class": "IN", + "data": "ns-835.awsdns-40.net", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + } + ], + "answers_count": 4, + "authorities_count": 0, + "flags": { + "authentic_data": false, + "authoritative": false, + "checking_disabled": false, + "recursion_available": true, + "recursion_desired": true, + "truncated_response": false + }, + "header_flags": [ + "RD", + "RA" + ], + "id": 26187, + "op_code": "QUERY", + "question": { + "class": "IN", + "etld_plus_one": "elastic.co", + "name": "elastic.co", + "registered_domain": "elastic.co", + "top_level_domain": "co", + "type": "NS" + }, + "response_code": "NOERROR", + "type": "answer" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.dns", + "duration": 68515700, + "end": "2022-03-09T07:48:42.819Z", + "ingested": "2022-03-09T07:48:43Z", + "kind": "event", + "start": "2022-03-09T07:48:42.751Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "QUERY", + "network": { + "bytes": 195, + "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", + "direction": "unknown", + "protocol": "dns", + "transport": "udp", + "type": "ipv4" + }, + "query": "class IN, type NS, elastic.co", + "related": { + "ip": [ + "192.168.238.68", + "8.8.8.8" + ] + }, + "resource": "elastic.co", + "server": { + "bytes": 167, + "ip": "8.8.8.8", + "port": 53 + }, + "source": { + "bytes": 28, + "ip": "192.168.238.68", + "port": 53765 + }, + "status": "OK", + "type": "dns" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.0.1/data_stream/flow/agent/stream/flow.yml.hbs new file mode 100755 index 0000000000..80f2a27460 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/flow/agent/stream/flow.yml.hbs @@ -0,0 +1,23 @@ +type: flow +{{#if timeout}} +flows.timeout: '{{timeout}}' +{{/if}} +{{#if period}} +flows.period: '{{period}}' +{{/if}} +{{#if processes}} +procs: + enabled: true + monitored: + {{#each processes}} + - cmdline_grep: {{this}} + {{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..8a45c554fd --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,27 @@ +--- +description: Pipeline for processing traffic flows +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/flow/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/flow/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/flow/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/flow/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/flow/manifest.yml b/packages/network_traffic/1.0.1/data_stream/flow/manifest.yml new file mode 100755 index 0000000000..4f455c6f25 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/flow/manifest.yml @@ -0,0 +1,23 @@ +title: Flows +release: beta +type: logs +streams: + - input: packet + title: Flows + description: Track Network Flows + template_path: flow.yml.hbs + vars: + - name: period + type: text + title: Period + required: false + show_user: false + description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. + default: '10s' + - name: timeout + type: text + title: Flow timeout + description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. + required: false + show_user: false + default: '30s' diff --git a/packages/network_traffic/1.0.1/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.0.1/data_stream/http/agent/stream/http.yml.hbs new file mode 100755 index 0000000000..4c2aecad10 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/agent/stream/http.yml.hbs @@ -0,0 +1,85 @@ +type: http +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if hide_keywords}} +hide_keywords: +{{#each hide_keywords as |hide_keyword|}} + - {{hide_keyword}} +{{/each}} +{{/if}} +{{#if send_headers}} +send_headers: {{send_headers}} +{{/if}} +{{#if send_all_headers}} +send_all_headers: {{send_all_headers}} +{{/if}} +{{#if redact_headers}} +redact_headers: +{{#each redact_headers as |redact_header|}} + - {{redact_header}} +{{/each}} +{{/if}} +{{#if include_body_for}} +include_body_for: +{{#each include_body_for as |include_body_for_elem|}} + - {{include_body_for_elem}} +{{/each}} +{{/if}} +{{#if include_request_body_for}} +include_request_body_for: +{{#each include_request_body_for as |include_request_body_for_elem|}} + - {{include_request_body_for_elem}} +{{/each}} +{{/if}} +{{#if include_response_body_for}} +include_response_body_for: +{{#each include_response_body_for as |include_response_body_for_elem|}} + - {{include_response_body_for_elem}} +{{/each}} +{{/if}} +{{#if decode_body}} +decode_body: {{decode_body}} +{{/if}} +{{#if split_cookie}} +split_cookie: {{split_cookie}} +{{/if}} +{{#if real_ip_header}} +real_ip_header: {{real_ip_header}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if max_message_size}} +max_message_size: {{max_message_size}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..e0cbf2bf88 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing http traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/ecs.yml new file mode 100755 index 0000000000..d003c7093e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/fields/ecs.yml @@ -0,0 +1,203 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Size in bytes of the request body. + name: http.request.body.bytes + type: long +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/protocol.yml new file mode 100755 index 0000000000..51b73ae344 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/fields/protocol.yml @@ -0,0 +1,26 @@ +- name: http + type: group + description: Information about the HTTP request and response. + fields: + - name: request + description: HTTP request + type: group + fields: + - name: headers + type: flattened + description: > + A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. + + - name: response + description: HTTP response + type: group + fields: + - name: status_phrase + type: keyword + description: The HTTP status phrase. + example: Not Found + - name: headers + type: flattened + description: > + A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. + diff --git a/packages/network_traffic/1.0.1/data_stream/http/manifest.yml b/packages/network_traffic/1.0.1/data_stream/http/manifest.yml new file mode 100755 index 0000000000..f16188331c --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/manifest.yml @@ -0,0 +1,173 @@ +title: HTTP +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [80, 8080, 8000, 5000, 8002] + - name: hide_keywords + type: text + title: Hide Keywords + description: |- + Uncomment the following to hide certain parameters in URL or forms attached + to HTTP requests. The names of the parameters are case insensitive. + The value of the parameters will be replaced with the 'xxxxx' string. + This is generally useful for avoiding storing user passwords or other + sensitive information. + Only query parameters and top level form parameters are replaced. + show_user: false + multi: true + required: false + - name: send_headers + type: bool + title: Send Headers + description: |- + A list of header names to capture and send to Elasticsearch. These headers + are placed under the `headers` dictionary in the resulting JSON. + show_user: false + multi: false + required: false + - name: send_all_headers + type: bool + title: Send All Headers + description: |- + Instead of sending a white list of headers to Elasticsearch, you can send + all headers by setting this option to true. The default is false. + show_user: false + multi: false + required: false + - name: redact_headers + type: text + title: Redact Headers + description: |- + A list of headers to redact if present in the HTTP request. This will keep + the header field present, but will redact it's value to show the headers + presence. + show_user: false + multi: true + required: false + - name: include_body_for + type: text + title: Include Body For + description: |- + The list of content types for which Packetbeat includes the full HTTP + payload. If the request's or response's Content-Type matches any on this + list, the full body will be included under the request or response field. + show_user: false + multi: true + required: false + - name: include_request_body_for + type: text + title: Include Request Body For + description: |- + The list of content types for which Packetbeat includes the full HTTP + request payload. + show_user: false + multi: true + required: false + - name: include_response_body_for + type: text + title: Include Response Body For + description: |- + The list of content types for which Packetbeat includes the full HTTP + response payload. + show_user: false + multi: true + required: false + - name: decode_body + type: bool + title: Decode Body + description: |- + Whether the body of a request must be decoded when a content-encoding + or transfer-encoding has been applied. + show_user: false + multi: false + required: false + - name: split_cookie + type: bool + title: Split Cookie + description: |- + If the Cookie or Set-Cookie headers are sent, this option controls whether + they are split into individual values. + show_user: false + multi: false + required: false + - name: real_ip_header + type: bool + title: Real Ip Header + description: |- + The header field to extract the real IP from. This setting is useful when + you want to capture traffic behind a reverse proxy, but you want to get the + geo-location information. + show_user: false + multi: false + required: false + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: max_message_size + type: integer + title: Max Message Size + description: |- + Maximum message size. If an HTTP message is larger than this, it will + be trimmed to this size. Default is 10 MB. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: HTTP + description: Capture HTTP Traffic + template_path: http.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/http/sample_event.json b/packages/network_traffic/1.0.1/data_stream/http/sample_event.json new file mode 100755 index 0000000000..f07301394b --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/http/sample_event.json @@ -0,0 +1,139 @@ +{ + "@timestamp": "2022-03-09T07:54:42.031Z", + "agent": { + "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 211, + "ip": "192.168.238.50", + "port": 64770 + }, + "data_stream": { + "dataset": "network_traffic.http", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 9108, + "domain": "packetbeat.com", + "ip": "107.170.1.22", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.http", + "duration": 141490400, + "end": "2022-03-09T07:54:42.172Z", + "ingested": "2022-03-09T07:54:43Z", + "kind": "event", + "start": "2022-03-09T07:54:42.031Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "http": { + "request": { + "body": { + "bytes": 55 + }, + "bytes": 211, + "headers": { + "content-length": 55, + "content-type": "application/x-www-form-urlencoded" + }, + "method": "POST" + }, + "response": { + "body": { + "bytes": 8936 + }, + "bytes": 9108, + "headers": { + "content-length": 8936, + "content-type": "text/html; charset=utf-8" + }, + "status_code": 404, + "status_phrase": "not found" + }, + "version": "1.1" + }, + "method": "POST", + "network": { + "bytes": 9319, + "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", + "direction": "unknown", + "protocol": "http", + "transport": "tcp", + "type": "ipv4" + }, + "query": "POST /register", + "related": { + "hosts": [ + "packetbeat.com" + ], + "ip": [ + "192.168.238.50", + "107.170.1.22" + ] + }, + "server": { + "bytes": 9108, + "domain": "packetbeat.com", + "ip": "107.170.1.22", + "port": 80 + }, + "source": { + "bytes": 211, + "ip": "192.168.238.50", + "port": 64770 + }, + "status": "Error", + "type": "http", + "url": { + "domain": "packetbeat.com", + "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", + "path": "/register", + "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", + "scheme": "http" + }, + "user_agent": { + "original": "curl/7.37.1" + } +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.0.1/data_stream/icmp/agent/stream/icmp.yml.hbs new file mode 100755 index 0000000000..f550ca79fa --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/agent/stream/icmp.yml.hbs @@ -0,0 +1,22 @@ +type: icmp +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..1ae74a0692 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing icmp traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/protocol.yml new file mode 100755 index 0000000000..5aef1deaf4 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/fields/protocol.yml @@ -0,0 +1,27 @@ +- name: icmp + type: group + fields: + - name: version + type: long + description: The version of the ICMP protocol. + possible_values: + - 4 + - 6 + - name: request.message + type: keyword + description: A human readable form of the request. + - name: request.type + type: long + description: The request type. + - name: request.code + type: long + description: The request code. + - name: response.message + type: keyword + description: A human readable form of the response. + - name: response.type + type: long + description: The response type. + - name: response.code + type: long + description: The response code. diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/manifest.yml b/packages/network_traffic/1.0.1/data_stream/icmp/manifest.yml new file mode 100755 index 0000000000..ca911dc8e0 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/manifest.yml @@ -0,0 +1,30 @@ +title: ICMP +release: beta +type: logs +streams: + - input: packet + title: ICMP + description: Capture ICMP Traffic + template_path: icmp.yml.hbs + vars: + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/sample_event.json b/packages/network_traffic/1.0.1/data_stream/icmp/sample_event.json new file mode 100755 index 0000000000..6dfd5d97d4 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/icmp/sample_event.json @@ -0,0 +1,104 @@ +{ + "@timestamp": "2022-03-09T07:57:32.766Z", + "agent": { + "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 4, + "ip": "::1" + }, + "data_stream": { + "dataset": "network_traffic.icmp", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 4, + "ip": "::2" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.icmp", + "duration": 13336600, + "end": "2022-03-09T07:57:32.779Z", + "ingested": "2022-03-09T07:57:36Z", + "kind": "event", + "start": "2022-03-09T07:57:32.766Z", + "type": [ + "connection" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "icmp": { + "request": { + "code": 0, + "message": "EchoRequest", + "type": 128 + }, + "response": { + "code": 0, + "message": "EchoReply", + "type": 129 + }, + "version": 6 + }, + "network": { + "bytes": 8, + "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", + "direction": "egress", + "transport": "ipv6-icmp", + "type": "ipv6" + }, + "path": "::2", + "related": { + "ip": [ + "::1", + "::2" + ] + }, + "server": { + "bytes": 4, + "ip": "::2" + }, + "source": { + "bytes": 4, + "ip": "::1" + }, + "status": "OK", + "type": "icmp" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.0.1/data_stream/memcached/agent/stream/memcached.yml.hbs new file mode 100755 index 0000000000..136c8ad877 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/agent/stream/memcached.yml.hbs @@ -0,0 +1,49 @@ +type: memcache +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if parseunknown}} +parseunknown: {{parseunknown}} +{{/if}} +{{#if maxvalues}} +maxvalues: {{maxvalues}} +{{/if}} +{{#if maxbytespervalue}} +maxbytespervalue: {{maxbytespervalue}} +{{/if}} +{{#if udptransactiontimeout}} +udptransactiontimeout: {{udptransactiontimeout}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..79d3c2cf54 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing memcached traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/ecs.yml new file mode 100755 index 0000000000..7638afce57 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/fields/ecs.yml @@ -0,0 +1,136 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/protocol.yml new file mode 100755 index 0000000000..4d1c281dde --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/fields/protocol.yml @@ -0,0 +1,215 @@ +- name: memcache + type: group + fields: + - name: protocol_type + type: keyword + description: > + The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. + + - name: request.line + type: keyword + description: > + The raw command line for unknown commands ONLY. + + - name: request.command + type: keyword + description: > + The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. + + - name: response.command + type: keyword + description: > + Either the text based protocol response message type or the name of the originating request if binary protocol is used. + + - name: request.type + type: keyword + description: > + The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". + + - name: response.type + type: keyword + description: > + The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). + + - name: response.error_msg + type: keyword + description: > + The optional error message in the memcache response (text based protocol only). + + - name: request.opcode + type: keyword + description: > + The binary protocol message opcode name. + + - name: response.opcode + type: keyword + description: > + The binary protocol message opcode name. + + - name: request.opcode_value + type: long + description: > + The binary protocol message opcode value. + + - name: response.opcode_value + type: long + description: > + The binary protocol message opcode value. + + - name: request.opaque + type: long + description: > + The binary protocol opaque header value used for correlating request with response messages. + + - name: response.opaque + type: long + description: > + The binary protocol opaque header value used for correlating request with response messages. + + - name: request.vbucket + type: long + description: > + The vbucket index sent in the binary message. + + - name: response.status + type: keyword + description: > + The textual representation of the response error code (binary protocol only). + + - name: response.status_code + type: long + description: > + The status code value returned in the response (binary protocol only). + + - name: request.keys + type: array + description: > + The list of keys sent in the store or load commands. + + - name: response.keys + type: array + description: > + The list of keys returned for the load command (if present). + + - name: request.count_values + type: long + description: > + The number of values found in the memcache request message. If the command does not send any data, this field is missing. + + - name: response.count_values + type: long + description: > + The number of values found in the memcache response message. If the command does not send any data, this field is missing. + + - name: request.values + type: array + description: > + The list of base64 encoded values sent with the request (if present). + + - name: response.values + type: array + description: > + The list of base64 encoded values sent with the response (if present). + + - name: request.bytes + type: long + format: bytes + description: > + The byte count of the values being transferred. + + - name: response.bytes + type: long + format: bytes + description: > + The byte count of the values being transferred. + + - name: request.delta + type: long + description: > + The counter increment/decrement delta value. + + - name: request.initial + type: long + description: > + The counter increment/decrement initial value parameter (binary protocol only). + + - name: request.verbosity + type: long + description: > + The value of the memcache "verbosity" command. + + - name: request.raw_args + type: keyword + description: > + The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. + + - name: request.source_class + type: long + description: > + The source class id in 'slab reassign' command. + + - name: request.dest_class + type: long + description: > + The destination class id in 'slab reassign' command. + + - name: request.automove + type: keyword + description: > + The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. + + - name: request.flags + type: long + description: > + The memcache command flags sent in the request (if present). + + - name: response.flags + type: long + description: > + The memcache message flags sent in the response (if present). + + - name: request.exptime + type: long + description: > + The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). + + - name: request.sleep_us + type: long + description: > + The sleep setting in microseconds for the 'lru_crawler sleep' command. + + - name: response.value + type: long + description: > + The counter value returned by a counter operation. + + - name: request.noreply + type: boolean + description: > + Set to true if noreply was set in the request. The `memcache.response` field will be missing. + + - name: request.quiet + type: boolean + description: > + Set to true if the binary protocol message is to be treated as a quiet message. + + - name: request.cas_unique + type: long + description: > + The CAS (compare-and-swap) identifier if present. + + - name: response.cas_unique + type: long + description: > + The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). + + - name: response.stats + type: array + description: > + The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". + + - name: response.version + type: keyword + description: > + The returned memcache version string. + diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/manifest.yml b/packages/network_traffic/1.0.1/data_stream/memcached/manifest.yml new file mode 100755 index 0000000000..9120331b9d --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/manifest.yml @@ -0,0 +1,116 @@ +title: Memcached +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [11211] + - name: parseunknown + type: bool + title: Parseunknown + description: |- + Uncomment the parseunknown option to force the memcache text protocol parser + to accept unknown commands. + Note: All unknown commands MUST not contain any data parts! + Default: false + show_user: false + multi: false + required: false + - name: maxvalues + type: integer + title: Maxvalues + description: |- + Update the maxvalue option to store the values - base64 encoded - in the + json output. + possible values: + maxvalue: -1 store all values (text based protocol multi-get) + maxvalue: 0 store no values at all + maxvalue: N store up to N values + Default: 0 + show_user: false + multi: false + required: false + - name: maxbytespervalue + type: integer + title: Maxbytespervalue + description: |- + Use maxbytespervalue to limit the number of bytes to be copied per value element. + Note: Values will be base64 encoded, so actual size in json document + will be 4 times maxbytespervalue. + Default: unlimited + show_user: false + multi: false + required: false + - name: udptransactiontimeout + type: integer + title: Udptransactiontimeout + description: |- + UDP transaction timeout in milliseconds. + Note: Quiet messages in UDP binary protocol will get response only in error case. + The memcached analyzer will wait for udptransactiontimeout milliseconds + before publishing quiet messages. Non quiet messages or quiet requests with + error response will not have to wait for the timeout. + Default: 200 + show_user: false + multi: false + required: false + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: Memcached + description: Capture Memcached Traffic + template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/sample_event.json b/packages/network_traffic/1.0.1/data_stream/memcached/sample_event.json new file mode 100755 index 0000000000..4b4dc284f8 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/memcached/sample_event.json @@ -0,0 +1,112 @@ +{ + "@timestamp": "2022-03-09T08:09:26.564Z", + "agent": { + "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "ip": "192.168.188.37", + "port": 65195 + }, + "data_stream": { + "dataset": "network_traffic.memcached", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 1064, + "ip": "192.168.188.38", + "port": 11211 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.memcached", + "ingested": "2022-03-09T08:09:37Z", + "kind": "event", + "start": "2022-03-09T08:09:26.564Z", + "type": [ + "connection", + "protocol" + ] + }, + "event.action": "memcache.store", + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "memcache": { + "protocol_type": "binary", + "request": { + "bytes": 1024, + "command": "set", + "count_values": 1, + "exptime": 0, + "flags": 0, + "keys": [ + "test_key" + ], + "opaque": 65536, + "opcode": "SetQ", + "opcode_value": 17, + "quiet": true, + "type": "Store", + "vbucket": 0 + } + }, + "network": { + "bytes": 1064, + "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", + "direction": "unknown", + "protocol": "memcache", + "transport": "udp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.188.37", + "192.168.188.38" + ] + }, + "server": { + "bytes": 1064, + "ip": "192.168.188.38", + "port": 11211 + }, + "source": { + "ip": "192.168.188.37", + "port": 65195 + }, + "status": "OK", + "type": "memcache" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.0.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs new file mode 100755 index 0000000000..fe92042bcc --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs @@ -0,0 +1,43 @@ +type: mongodb +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if max_docs}} +max_docs: {{max_docs}} +{{/if}} +{{#if max_doc_length}} +max_doc_length: {{max_doc_length}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..53b9f4a0df --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing mongodb traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/protocol.yml new file mode 100755 index 0000000000..a84465c61e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/protocol.yml @@ -0,0 +1,58 @@ +- name: mongodb + type: group + fields: + - name: error + type: keyword + description: > + If the MongoDB request has resulted in an error, this field contains the error message returned by the server. + + - name: fullCollectionName + type: keyword + description: > + The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. + + - name: numberToSkip + type: long + description: > + Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. + + - name: numberToReturn + type: long + description: > + The requested maximum number of documents to be returned. + + - name: numberReturned + type: long + description: > + The number of documents in the reply. + + - name: startingFrom + type: keyword + description: > + Where in the cursor this reply is starting. + + - name: query + type: keyword + description: > + A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. + + - name: returnFieldsSelector + type: keyword + description: > + A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. + + - name: selector + type: keyword + description: > + A BSON document that specifies the query for selecting the document to update or delete. + + - name: update + type: keyword + description: > + A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. + + - name: cursorId + type: keyword + description: > + The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. + diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/manifest.yml new file mode 100755 index 0000000000..0ff11578a2 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/manifest.yml @@ -0,0 +1,86 @@ +title: MongoDB +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [27017] + - name: max_docs + type: integer + title: Max Docs + description: |- + The maximum number of documents from the response to index in the `response` + field. The default is 10. + show_user: false + multi: false + required: false + - name: max_doc_length + type: integer + title: Max Doc Length + description: |- + The maximum number of characters in a single document indexed in the + `response` field. The default is 5000. You can set this to 0 to index an + unlimited number of characters per document. + show_user: false + multi: false + required: false + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: MongoDB + description: Capture MongoDB Traffic + template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.0.1/data_stream/mongodb/sample_event.json new file mode 100755 index 0000000000..4cfd576e4c --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mongodb/sample_event.json @@ -0,0 +1,106 @@ +{ + "@timestamp": "2022-03-09T08:15:48.570Z", + "agent": { + "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 50, + "ip": "127.0.0.1", + "port": 57203 + }, + "data_stream": { + "dataset": "network_traffic.mongodb", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 514, + "ip": "127.0.0.1", + "port": 27017 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.mongodb", + "duration": 1365900, + "end": "2022-03-09T08:15:48.571Z", + "ingested": "2022-03-09T08:15:49Z", + "kind": "event", + "start": "2022-03-09T08:15:48.570Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "find", + "mongodb": { + "cursorId": 0, + "fullCollectionName": "test.restaurants", + "numberReturned": 1, + "numberToReturn": 1, + "numberToSkip": 0, + "startingFrom": 0 + }, + "network": { + "bytes": 564, + "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", + "direction": "ingress", + "protocol": "mongodb", + "transport": "tcp", + "type": "ipv4" + }, + "query": "test.restaurants.find().limit(1)", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "resource": "test.restaurants", + "server": { + "bytes": 514, + "ip": "127.0.0.1", + "port": 27017 + }, + "source": { + "bytes": 50, + "ip": "127.0.0.1", + "port": 57203 + }, + "status": "OK", + "type": "mongodb" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.0.1/data_stream/mysql/agent/stream/mysql.yml.hbs new file mode 100755 index 0000000000..85b82a47b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/agent/stream/mysql.yml.hbs @@ -0,0 +1,37 @@ +type: mysql +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..23ad4ad9d5 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing mysql traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/protocol.yml new file mode 100755 index 0000000000..64675f8d8e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/fields/protocol.yml @@ -0,0 +1,38 @@ +- name: mysql + type: group + fields: + - name: affected_rows + type: long + description: > + If the MySQL command is successful, this field contains the affected number of rows of the last statement. + + - name: insert_id + type: keyword + description: > + If the INSERT query is successful, this field contains the id of the newly inserted row. + + - name: num_fields + type: long + description: > + If the SELECT query is successful, this field is set to the number of fields returned. + + - name: num_rows + type: long + description: > + If the SELECT query is successful, this field is set to the number of rows returned. + + - name: query + type: keyword + description: > + The row mysql query as read from the transaction's request. + + - name: error_code + type: long + description: > + The error code returned by MySQL. + + - name: error_message + type: keyword + description: > + The error info message returned by MySQL. + diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/manifest.yml b/packages/network_traffic/1.0.1/data_stream/mysql/manifest.yml new file mode 100755 index 0000000000..c4655854f0 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/manifest.yml @@ -0,0 +1,67 @@ +title: MySQL +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [3306, 3307] + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: MySQL + description: Capture MySQL Traffic + template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/sample_event.json b/packages/network_traffic/1.0.1/data_stream/mysql/sample_event.json new file mode 100755 index 0000000000..2c33116053 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/mysql/sample_event.json @@ -0,0 +1,104 @@ +{ + "@timestamp": "2022-03-09T08:20:44.667Z", + "agent": { + "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 23, + "ip": "127.0.0.1", + "port": 41517 + }, + "data_stream": { + "dataset": "network_traffic.mysql", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 3629, + "ip": "127.0.0.1", + "port": 3306 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.mysql", + "duration": 5532500, + "end": "2022-03-09T08:20:44.673Z", + "ingested": "2022-03-09T08:20:45Z", + "kind": "event", + "start": "2022-03-09T08:20:44.667Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "SELECT", + "mysql": { + "affected_rows": 0, + "insert_id": 0, + "num_fields": 3, + "num_rows": 15 + }, + "network": { + "bytes": 3652, + "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", + "direction": "ingress", + "protocol": "mysql", + "transport": "tcp", + "type": "ipv4" + }, + "path": "test.test", + "query": "select * from test", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 3629, + "ip": "127.0.0.1", + "port": 3306 + }, + "source": { + "bytes": 23, + "ip": "127.0.0.1", + "port": 41517 + }, + "status": "OK", + "type": "mysql" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.0.1/data_stream/nfs/agent/stream/nfs.yml.hbs new file mode 100755 index 0000000000..c8349a7bcb --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/agent/stream/nfs.yml.hbs @@ -0,0 +1,37 @@ +type: nfs +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..cd66758ed4 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing nfs traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/ecs.yml new file mode 100755 index 0000000000..2b26a193f9 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/fields/ecs.yml @@ -0,0 +1,144 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: Unique identifier of the user. + name: user.id + type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/protocol.yml new file mode 100755 index 0000000000..4bcf6fecec --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/fields/protocol.yml @@ -0,0 +1,48 @@ +- name: nfs + type: group + fields: + - name: version + type: long + description: NFS protocol version number. + - name: minor_version + type: long + description: NFS protocol minor version number. + - name: tag + type: keyword + description: NFS v4 COMPOUND operation tag. + - name: opcode + type: keyword + description: > + NFS operation name, or main operation name, in case of COMPOUND calls. + + - name: status + type: keyword + description: NFS operation reply status. +- name: rpc + type: group + description: ONC RPC specific event fields. + fields: + - name: xid + type: keyword + description: RPC message transaction identifier. + - name: status + type: keyword + description: RPC message reply status. + - name: auth_flavor + type: keyword + description: RPC authentication flavor. + - name: cred.uid + type: long + description: RPC caller's user id, in case of auth-unix. + - name: cred.gid + type: long + description: RPC caller's group id, in case of auth-unix. + - name: cred.gids + type: long + description: RPC caller's secondary group ids, in case of auth-unix. + - name: cred.stamp + type: long + description: Arbitrary ID which the caller machine may generate. + - name: cred.machinename + type: keyword + description: The name of the caller's machine. diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/manifest.yml b/packages/network_traffic/1.0.1/data_stream/nfs/manifest.yml new file mode 100755 index 0000000000..4e5323fa1e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/manifest.yml @@ -0,0 +1,67 @@ +title: NFS +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [2049] + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: NFS + description: Capture NFS Traffic + template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/sample_event.json b/packages/network_traffic/1.0.1/data_stream/nfs/sample_event.json new file mode 100755 index 0000000000..de4b4525e0 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/nfs/sample_event.json @@ -0,0 +1,123 @@ +{ + "@timestamp": "2022-03-09T08:24:00.569Z", + "agent": { + "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 208, + "domain": "desycloud03.desy.de", + "ip": "131.169.5.156", + "port": 907 + }, + "data_stream": { + "dataset": "network_traffic.nfs", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 176, + "ip": "131.169.192.35", + "port": 2049 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "nfs.CLOSE", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.nfs", + "duration": 6573500, + "end": "2022-03-09T08:24:00.575Z", + "ingested": "2022-03-09T08:24:01Z", + "kind": "event", + "start": "2022-03-09T08:24:00.569Z", + "type": [ + "connection", + "protocol" + ] + }, + "group.id": 48, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "host.hostname": "desycloud03.desy.de", + "network": { + "bytes": 384, + "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", + "direction": "unknown", + "protocol": "nfsv4", + "transport": "tcp", + "type": "ipv4" + }, + "nfs": { + "minor_version": 1, + "opcode": "CLOSE", + "status": "NFS_OK", + "tag": "", + "version": 4 + }, + "related": { + "ip": [ + "131.169.5.156", + "131.169.192.35" + ] + }, + "rpc": { + "auth_flavor": "unix", + "cred": { + "gid": 48, + "gids": [ + 48 + ], + "machinename": "desycloud03.desy.de", + "stamp": 4308441, + "uid": 48 + }, + "status": "success", + "xid": "c3103fc1" + }, + "server": { + "bytes": 176, + "ip": "131.169.192.35", + "port": 2049 + }, + "source": { + "bytes": 208, + "domain": "desycloud03.desy.de", + "ip": "131.169.5.156", + "port": 907 + }, + "status": "OK", + "type": "nfs", + "user.id": 48 +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.0.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs new file mode 100755 index 0000000000..8680c36b1a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs @@ -0,0 +1,37 @@ +type: pgsql +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7bd75120a7 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing pgsql traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/protocol.yml new file mode 100755 index 0000000000..4fd03e12cb --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/protocol.yml @@ -0,0 +1,26 @@ +- name: pgsql + type: group + fields: + - name: error_code + description: The PostgreSQL error code. + type: keyword + - name: error_message + type: keyword + description: The PostgreSQL error message. + - name: error_severity + type: keyword + description: The PostgreSQL error severity. + possible_values: + - ERROR + - FATAL + - PANIC + - name: num_fields + type: long + description: > + If the SELECT query if successful, this field is set to the number of fields returned. + + - name: num_rows + type: long + description: > + If the SELECT query if successful, this field is set to the number of rows returned. + diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/manifest.yml new file mode 100755 index 0000000000..eb205cd837 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/manifest.yml @@ -0,0 +1,67 @@ +title: PostgreSQL +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [5432] + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: PostgreSQL + description: Capture PostgreSQL Traffic + template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.0.1/data_stream/pgsql/sample_event.json new file mode 100755 index 0000000000..462f734f42 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/pgsql/sample_event.json @@ -0,0 +1,101 @@ +{ + "@timestamp": "2022-03-09T08:29:39.675Z", + "agent": { + "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 34, + "ip": "127.0.0.1", + "port": 34936 + }, + "data_stream": { + "dataset": "network_traffic.pgsql", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 3186, + "ip": "127.0.0.1", + "port": 5432 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.pgsql", + "duration": 2568100, + "end": "2022-03-09T08:29:39.678Z", + "ingested": "2022-03-09T08:29:40Z", + "kind": "event", + "start": "2022-03-09T08:29:39.675Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "SELECT", + "network": { + "bytes": 3220, + "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", + "direction": "ingress", + "protocol": "pgsql", + "transport": "tcp", + "type": "ipv4" + }, + "pgsql": { + "num_fields": 3, + "num_rows": 15 + }, + "query": "select * from long_response", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 3186, + "ip": "127.0.0.1", + "port": 5432 + }, + "source": { + "bytes": 34, + "ip": "127.0.0.1", + "port": 34936 + }, + "status": "OK", + "type": "pgsql" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.0.1/data_stream/redis/agent/stream/redis.yml.hbs new file mode 100755 index 0000000000..f357ca3a6d --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/agent/stream/redis.yml.hbs @@ -0,0 +1,43 @@ +type: redis +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if queue_max_bytes}} +queue_max_bytes: {{queue_max_bytes}} +{{/if}} +{{#if queue_max_messages}} +queue_max_messages: {{queue_max_messages}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..a2af2349ac --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,41 @@ +--- +description: Pipeline for processing redis traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/ecs.yml new file mode 100755 index 0000000000..7638afce57 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/fields/ecs.yml @@ -0,0 +1,136 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/protocol.yml new file mode 100755 index 0000000000..4982b2c2d3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/fields/protocol.yml @@ -0,0 +1,13 @@ +- name: redis + type: group + fields: + - name: return_value + type: keyword + description: > + The return value of the Redis command in a human readable format. + + - name: error + type: keyword + description: > + If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. + diff --git a/packages/network_traffic/1.0.1/data_stream/redis/manifest.yml b/packages/network_traffic/1.0.1/data_stream/redis/manifest.yml new file mode 100755 index 0000000000..9fe0ce4e18 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/manifest.yml @@ -0,0 +1,86 @@ +title: Redis +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [6379] + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: queue_max_bytes + type: integer + title: Queue Max Bytes + description: |- + Max size for per-session message queue. This places a limit on the memory + that can be used to buffer requests and responses for correlation. + show_user: false + multi: false + required: false + - name: queue_max_messages + type: integer + title: Queue Max Messages + description: |- + Max number of messages for per-session message queue. This limits the number + of requests or responses that can be buffered for correlation. Set a value + large enough to allow for pipelining. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: Redis + description: Capture Redis Traffic + template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/redis/sample_event.json b/packages/network_traffic/1.0.1/data_stream/redis/sample_event.json new file mode 100755 index 0000000000..7ce644c935 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/redis/sample_event.json @@ -0,0 +1,102 @@ +{ + "@timestamp": "2022-03-09T08:30:57.254Z", + "agent": { + "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 31, + "ip": "127.0.0.1", + "port": 32810 + }, + "data_stream": { + "dataset": "network_traffic.redis", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 5, + "ip": "127.0.0.1", + "port": 6380 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "redis.set", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.redis", + "duration": 1421600, + "end": "2022-03-09T08:30:57.256Z", + "ingested": "2022-03-09T08:30:58Z", + "kind": "event", + "start": "2022-03-09T08:30:57.254Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "SET", + "network": { + "bytes": 36, + "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", + "direction": "ingress", + "protocol": "redis", + "transport": "tcp", + "type": "ipv4" + }, + "query": "set key3 me", + "redis": { + "return_value": "OK" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "resource": "key3", + "server": { + "bytes": 5, + "ip": "127.0.0.1", + "port": 6380 + }, + "source": { + "bytes": 31, + "ip": "127.0.0.1", + "port": 32810 + }, + "status": "OK", + "type": "redis" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.0.1/data_stream/sip/agent/stream/sip.yml.hbs new file mode 100755 index 0000000000..935ea011ee --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/agent/stream/sip.yml.hbs @@ -0,0 +1,34 @@ +type: sip +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if parse_authorization}} +parse_authorization: {{parse_authorization}} +{{/if}} +{{#if parse_body}} +parse_body: {{parse_body}} +{{/if}} +{{#if keep_original}} +keep_original: {{keep_original}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..c20207afdd --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,39 @@ +--- +description: Pipeline for processing sip traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. +- script: + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "protocol") { + ctx.event.category.remove(i); + } + } + } + +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/ecs.yml new file mode 100755 index 0000000000..c2a147238b --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/fields/ecs.yml @@ -0,0 +1,174 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/protocol.yml new file mode 100755 index 0000000000..5b25d9df6d --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/fields/protocol.yml @@ -0,0 +1,231 @@ +- name: sip + type: group + description: Information about SIP traffic. + fields: + - name: code + type: long + description: Response status code. + - name: method + type: keyword + description: Request method. + - name: status + type: keyword + description: Response status phrase. + - name: type + type: keyword + description: Either request or response. + - name: version + type: keyword + description: SIP protocol version. + - name: uri.original + type: keyword + description: The original URI. + multi_fields: + - name: text + type: text + norms: false + - name: uri.scheme + type: keyword + description: The URI scheme. + - name: uri.username + type: keyword + description: The URI user name. + - name: uri.host + type: keyword + description: The URI host. + - name: uri.port + type: long + description: The URI port. + - name: accept + type: keyword + description: Accept header value. + - name: allow + type: keyword + description: Allowed methods. + - name: call_id + type: keyword + description: Call ID. + - name: content_length + type: long + - name: content_type + type: keyword + - name: max_forwards + type: long + - name: supported + type: keyword + description: Supported methods. + - name: user_agent.original + type: keyword + multi_fields: + - name: text + type: text + norms: false + - name: private.uri.original + type: keyword + description: Private original URI. + multi_fields: + - name: text + type: text + norms: false + - name: private.uri.scheme + type: keyword + description: Private URI scheme. + - name: private.uri.username + type: keyword + description: Private URI user name. + - name: private.uri.host + type: keyword + description: Private URI host. + - name: private.uri.port + type: long + description: Private URI port. + - name: cseq.code + type: long + description: Sequence code. + - name: cseq.method + type: keyword + description: Sequence method. + - name: via.original + type: keyword + description: The original Via value. + multi_fields: + - name: text + type: text + norms: false + - name: to.display_info + type: keyword + description: "To display info" + - name: to.uri.original + type: keyword + description: "To original URI" + multi_fields: + - name: text + type: text + norms: false + - name: to.uri.scheme + type: keyword + description: "To URI scheme" + - name: to.uri.username + type: keyword + description: "To URI user name" + - name: to.uri.host + type: keyword + description: "To URI host" + - name: to.uri.port + type: long + description: "To URI port" + - name: to.tag + type: keyword + description: "To tag" + - name: from.display_info + type: keyword + description: "From display info" + - name: from.uri.original + type: keyword + description: "From original URI" + multi_fields: + - name: text + type: text + norms: false + - name: from.uri.scheme + type: keyword + description: "From URI scheme" + - name: from.uri.username + type: keyword + description: "From URI user name" + - name: from.uri.host + type: keyword + description: "From URI host" + - name: from.uri.port + type: long + description: "From URI port" + - name: from.tag + type: keyword + description: "From tag" + - name: contact.display_info + type: keyword + description: "Contact display info" + - name: contact.uri.original + type: keyword + description: "Contact original URI" + multi_fields: + - name: text + type: text + norms: false + - name: contact.uri.scheme + type: keyword + description: "Contat URI scheme" + - name: contact.uri.username + type: keyword + description: "Contact URI user name" + - name: contact.uri.host + type: keyword + description: "Contact URI host" + - name: contact.uri.port + type: long + description: "Contact URI port" + - name: contact.transport + type: keyword + description: "Contact transport" + - name: contact.line + type: keyword + description: "Contact line" + - name: contact.expires + type: keyword + description: "Contact expires" + - name: contact.q + type: keyword + description: "Contact Q" + - name: auth.scheme + type: keyword + description: "Auth scheme" + - name: auth.realm + type: keyword + description: "Auth realm" + - name: auth.uri.original + type: keyword + description: "Auth original URI" + multi_fields: + - name: text + type: text + norms: false + - name: auth.uri.scheme + type: keyword + description: "Auth URI scheme" + - name: auth.uri.host + type: keyword + description: "Auth URI host" + - name: auth.uri.port + type: long + description: "Auth URI port" + - name: sdp.version + type: keyword + description: "SDP version" + - name: sdp.owner.username + type: keyword + description: "SDP owner user name" + - name: sdp.owner.session_id + type: keyword + description: "SDP owner session ID" + - name: sdp.owner.version + type: keyword + description: "SDP owner version" + - name: sdp.owner.ip + type: ip + description: "SDP owner IP" + - name: sdp.session.name + type: keyword + description: "SDP session name" + - name: sdp.connection.info + type: keyword + description: "SDP connection info" + - name: sdp.connection.address + type: keyword + description: "SDP connection address" + - name: sdp.body.original + type: keyword + description: "SDP original body" + multi_fields: + - name: text + type: text + norms: false diff --git a/packages/network_traffic/1.0.1/data_stream/sip/manifest.yml b/packages/network_traffic/1.0.1/data_stream/sip/manifest.yml new file mode 100755 index 0000000000..79dd27ea52 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/manifest.yml @@ -0,0 +1,54 @@ +title: SIP +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [5060] + - name: parse_authorization + type: bool + title: Parse Authorization + description: Parse the authorization headers + show_user: false + multi: false + required: false + - name: parse_body + type: bool + title: Parse Body + description: Parse body contents (only when body is SDP) + show_user: false + multi: false + required: false + - name: keep_original + type: bool + title: Keep Original + description: Preserve original contents in event.original + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: SIP + description: Capture SIP Traffic + template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/sip/sample_event.json b/packages/network_traffic/1.0.1/data_stream/sip/sample_event.json new file mode 100755 index 0000000000..5a36041d5a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/sip/sample_event.json @@ -0,0 +1,174 @@ +{ + "@timestamp": "2022-05-13T07:10:35.715Z", + "agent": { + "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", + "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.2.0" + }, + "client": { + "ip": "10.0.2.20", + "port": 5060 + }, + "data_stream": { + "dataset": "network_traffic.sip", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "10.0.2.15", + "port": 5060 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "sip-invite", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.sip", + "duration": 0, + "end": "2022-05-13T07:10:35.715Z", + "ingested": "2022-05-13T07:10:39Z", + "kind": "event", + "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", + "sequence": 1, + "start": "2022-05-13T07:10:35.715Z", + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "172.31.0.7" + ], + "mac": [ + "02-42-AC-1F-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "network": { + "application": "sip", + "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "direction": "unknown", + "iana_number": "17", + "protocol": "sip", + "transport": "udp", + "type": "ipv4" + }, + "related": { + "hosts": [ + "10.0.2.15", + "10.0.2.20" + ], + "ip": [ + "10.0.2.20", + "10.0.2.15" + ], + "user": [ + "test", + "sipp" + ] + }, + "server": { + "ip": "10.0.2.15", + "port": 5060 + }, + "sip": { + "call_id": "1-2187@10.0.2.20", + "contact": { + "display_info": "test", + "uri": { + "host": "10.0.2.15", + "original": "sip:test@10.0.2.15:5060", + "port": 5060, + "scheme": "sip", + "username": "test" + } + }, + "content_length": 123, + "content_type": "application/sdp", + "cseq": { + "code": 1, + "method": "INVITE" + }, + "from": { + "display_info": "DVI4/8000", + "tag": "1", + "uri": { + "host": "10.0.2.20", + "original": "sip:sipp@10.0.2.20:5060", + "port": 5060, + "scheme": "sip", + "username": "sipp" + } + }, + "max_forwards": 70, + "method": "INVITE", + "sdp": { + "body": { + "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" + }, + "connection": { + "address": "10.0.2.20", + "info": "IN IP4 10.0.2.20" + }, + "owner": { + "ip": "10.0.2.20", + "session_id": "42", + "version": "42" + }, + "version": "0" + }, + "to": { + "display_info": "test", + "uri": { + "host": "10.0.2.15", + "original": "sip:test@10.0.2.15:5060", + "port": 5060, + "scheme": "sip", + "username": "test" + } + }, + "type": "request", + "uri": { + "host": "10.0.2.15", + "original": "sip:test@10.0.2.15:5060", + "port": 5060, + "scheme": "sip", + "username": "test" + }, + "version": "2.0", + "via": { + "original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" + ] + } + }, + "source": { + "ip": "10.0.2.20", + "port": 5060 + }, + "status": "OK", + "type": "sip" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.0.1/data_stream/thrift/agent/stream/thrift.yml.hbs new file mode 100755 index 0000000000..d6d9604253 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/agent/stream/thrift.yml.hbs @@ -0,0 +1,64 @@ +type: thrift +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if transport_type}} +transport_type: {{transport_type}} +{{/if}} +{{#if protocol_type}} +protocol_type: {{protocol_type}} +{{/if}} +{{#if idl_files}} +idl_files: +{{#each idl_files as |idl_file|}} + - {{idl_file}} +{{/each}} +{{/if}} +{{#if string_max_size}} +string_max_size: {{string_max_size}} +{{/if}} +{{#if collection_max_size}} +collection_max_size: {{collection_max_size}} +{{/if}} +{{#if capture_reply}} +capture_reply: {{capture_reply}} +{{/if}} +{{#if obfuscate_strings}} +obfuscate_strings: {{obfuscate_strings}} +{{/if}} +{{#if drop_after_n_struct_fields}} +drop_after_n_struct_fields: {{drop_after_n_struct_fields}} +{{/if}} +{{#if send_request}} +send_request: {{send_request}} +{{/if}} +{{#if send_response}} +send_response: {{send_response}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if transaction_timeout}} +transaction_timeout: {{transaction_timeout}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..608bb7e6a5 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,27 @@ +--- +description: Pipeline for processing thrift traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/ecs.yml new file mode 100755 index 0000000000..45c65d5b8a --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/fields/ecs.yml @@ -0,0 +1,123 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/protocol.yml new file mode 100755 index 0000000000..dd097f61ee --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/fields/protocol.yml @@ -0,0 +1,23 @@ +- name: thrift + type: group + fields: + - name: params + type: keyword + description: > + The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. + + - name: service + type: keyword + description: > + The name of the Thrift-RPC service as defined in the IDL files. + + - name: return_value + type: keyword + description: > + The value returned by the Thrift-RPC call. This is encoded in a human readable format. + + - name: exceptions + type: keyword + description: > + If the call resulted in exceptions, this field contains the exceptions in a human readable format. + diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/manifest.yml b/packages/network_traffic/1.0.1/data_stream/thrift/manifest.yml new file mode 100755 index 0000000000..29eabbeb19 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/manifest.yml @@ -0,0 +1,141 @@ +title: Thrift +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [9090] + - name: transport_type + type: text + title: Transport Type + description: |- + The Thrift transport type. Currently this option accepts the values socket + for TSocket, which is the default Thrift transport, and framed for the + TFramed Thrift transport. The default is socket. + show_user: false + multi: false + required: false + - name: protocol_type + type: text + title: Protocol Type + description: |- + The Thrift protocol type. Currently the only accepted value is binary for + the TBinary protocol, which is the default Thrift protocol. + show_user: false + multi: false + required: false + - name: idl_files + type: text + title: Idl Files + description: |- + The Thrift interface description language (IDL) files for the service that + Packetbeat is monitoring. Providing the IDL enables Packetbeat to include + parameter and exception names. + show_user: false + multi: true + required: false + - name: string_max_size + type: integer + title: String Max Size + description: |- + The maximum length for strings in parameters or return values. If a string + is longer than this value, the string is automatically truncated to this + length. + show_user: false + multi: false + required: false + - name: collection_max_size + type: integer + title: Collection Max Size + description: The maximum number of elements in a Thrift list, set, map, or structure. + show_user: false + multi: false + required: false + - name: capture_reply + type: bool + title: Capture Reply + description: |- + If this option is set to false, Packetbeat decodes the method name from the + reply and simply skips the rest of the response message. + show_user: false + multi: false + required: false + - name: obfuscate_strings + type: bool + title: Obfuscate Strings + description: |- + If this option is set to true, Packetbeat replaces all strings found in + method parameters, return codes, or exception structures with the "*" + string. + show_user: false + multi: false + required: false + - name: drop_after_n_struct_fields + type: integer + title: Drop After N Struct Fields + description: |- + The maximum number of fields that a structure can have before Packetbeat + ignores the whole transaction. + show_user: false + multi: false + required: false + - name: send_request + type: bool + title: Send Request + description: |- + If this option is enabled, the raw message of the request (`request` field) + is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: send_response + type: bool + title: Send Response + description: |- + If this option is enabled, the raw message of the response (`response` + field) is sent to Elasticsearch. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: transaction_timeout + type: text + title: Transaction Timeout + description: |- + Transaction timeout. Expired transactions will no longer be correlated to + incoming responses, but sent to Elasticsearch immediately. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: Thrift + description: Capture Thrift Traffic + template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/sample_event.json b/packages/network_traffic/1.0.1/data_stream/thrift/sample_event.json new file mode 100755 index 0000000000..4c1640a50d --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/thrift/sample_event.json @@ -0,0 +1,102 @@ +{ + "@timestamp": "2022-03-09T08:33:31.022Z", + "agent": { + "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 50919 + }, + "data_stream": { + "dataset": "network_traffic.thrift", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 9090 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.thrift", + "duration": 1394000, + "end": "2022-03-09T08:33:31.023Z", + "ingested": "2022-03-09T08:33:32Z", + "kind": "event", + "start": "2022-03-09T08:33:31.022Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "testByte", + "network": { + "bytes": 50, + "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", + "direction": "ingress", + "protocol": "thrift", + "transport": "tcp", + "type": "ipv4" + }, + "path": "", + "query": "testByte(1: 63)", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 9090 + }, + "source": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 50919 + }, + "status": "OK", + "thrift": { + "params": "(1: 63)", + "return_value": "63" + }, + "type": "thrift" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.0.1/data_stream/tls/agent/stream/tls.yml.hbs new file mode 100755 index 0000000000..877a553bfd --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/agent/stream/tls.yml.hbs @@ -0,0 +1,40 @@ +type: tls +{{#if port}} +ports: +{{#each port as |p|}} + - {{p}} +{{/each}} +{{/if}} +{{#if fingerprints}} +fingerprints: +{{#each fingerprints as |fingerprint|}} + - {{fingerprint}} +{{/each}} +{{/if}} +{{#if send_certificates}} +send_certificates: {{send_certificates}} +{{/if}} +{{#if include_raw_certificates}} +include_raw_certificates: {{include_raw_certificates}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +{{#if tags}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if interface}} +interface: +{{#if (contains ".pcap" interface)}} + file: {{interface}} +{{else}} + device: {{interface}} +{{/if}} +{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..788c1210ef --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for processing tls traffic +processors: +- set: + field: ecs.version + value: 8.2.0 +## +# Set host.mac to dash separated upper case value +# as per ECS recommendation +## +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: host.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true + +## +# Make tls.{client,server}.x509.version_number a string as per ECS. +## +- convert: + field: tls.client.x509.version_number + type: string + ignore_missing: true +- convert: + field: tls.server.x509.version_number + type: string + ignore_missing: true + +## +# This handles legacy TLS fields from Packetbeat 7.17. +## +- remove: + description: Remove legacy fields from Packetbeat 7.17 that are duplicated. + field: + - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. + - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. + - tls.client.x509.version # Duplicated as tls.client.x509.version_number. + - tls.detailed.client_certificate # Duplicated as tls.client.x509. + - tls.detailed.server_certificate # Duplicated as tls.server.x509. + - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. + - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. + - tls.server.x509.version # Duplicated as tls.server.x509.version_number. + ignore_missing: true +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/agent.yml new file mode 100755 index 0000000000..a55e9f71b3 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/fields/agent.yml @@ -0,0 +1,196 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/base.yml new file mode 100755 index 0000000000..0d1791ffed --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/fields/base.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/beats.yml new file mode 100755 index 0000000000..d23ddc749e --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/fields/beats.yml @@ -0,0 +1,110 @@ +- name: request + type: text + description: > + For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: response + type: text + description: > + For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. + +- name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. + +- name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. + +- name: status + type: keyword + description: > + The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. + +- name: method + type: keyword + description: > + The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). + +- name: resource + type: keyword + description: > + The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. + +- name: path + type: keyword + description: > + The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. + +- name: flow.final + type: boolean + description: > + Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. + +- name: flow.id + type: keyword + description: > + Internal flow ID based on connection meta data and address. + +- name: flow.vlan + type: long + description: > + VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. + +- name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. + + type: keyword +- name: server.process.name + type: keyword + description: > + The name of the process that served the transaction. + +- name: server.process.args + type: keyword + description: > + The command-line of the process that served the transaction. + +- name: server.process.executable + type: keyword + description: > + Absolute path to the server process executable. + +- name: server.process.working_directory + type: keyword + description: > + The working directory of the server process. + +- name: server.process.start + type: date + description: > + The time the server process started. + +- name: client.process.name + type: keyword + description: > + The name of the process that initiated the transaction. + +- name: client.process.args + type: keyword + description: > + The command-line of the process that initiated the transaction. + +- name: client.process.executable + type: keyword + description: > + Absolute path to the client process executable. + +- name: client.process.working_directory + type: keyword + description: > + The working directory of the client process. + +- name: client.process.start + type: date + description: > + The time the client process started. + diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/ecs.yml new file mode 100755 index 0000000000..49c713858d --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/fields/ecs.yml @@ -0,0 +1,368 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: String indicating the cipher used during the current connection. + name: tls.cipher + type: keyword +- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + name: tls.client.certificate + type: keyword +- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + name: tls.client.certificate_chain + type: keyword +- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.md5 + type: keyword +- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.sha1 + type: keyword +- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.sha256 + type: keyword +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + name: tls.client.issuer + type: keyword +- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + name: tls.client.ja3 + type: keyword +- description: Date/Time indicating when client certificate is no longer considered valid. + name: tls.client.not_after + type: date +- description: Date/Time indicating when client certificate is first considered valid. + name: tls.client.not_before + type: date +- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + name: tls.client.server_name + type: keyword +- description: Distinguished name of subject of the x.509 certificate presented by the client. + name: tls.client.subject + type: keyword +- description: Array of ciphers offered by the client during the client hello. + name: tls.client.supported_ciphers + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: tls.client.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.client.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: tls.client.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: tls.client.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.client.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: tls.client.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: tls.client.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.client.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: tls.client.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: tls.client.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: tls.client.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: tls.client.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: tls.client.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: tls.client.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: tls.client.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: tls.client.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: tls.client.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: tls.client.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: tls.client.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.client.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: tls.client.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: tls.client.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.client.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: tls.client.x509.version_number + type: keyword +- description: String indicating the curve used for the given cipher, when applicable. + name: tls.curve + type: keyword +- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + name: tls.established + type: boolean +- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + name: tls.next_protocol + type: keyword +- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + name: tls.resumed + type: boolean +- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + name: tls.server.certificate + type: keyword +- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + name: tls.server.certificate_chain + type: keyword +- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.md5 + type: keyword +- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.sha1 + type: keyword +- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.sha256 + type: keyword +- description: Subject of the issuer of the x.509 certificate presented by the server. + name: tls.server.issuer + type: keyword +- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + name: tls.server.ja3s + type: keyword +- description: Timestamp indicating when server certificate is no longer considered valid. + name: tls.server.not_after + type: date +- description: Timestamp indicating when server certificate is first considered valid. + name: tls.server.not_before + type: date +- description: Subject of the x.509 certificate presented by the server. + name: tls.server.subject + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: tls.server.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.server.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: tls.server.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: tls.server.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.server.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: tls.server.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: tls.server.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.server.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: tls.server.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: tls.server.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: tls.server.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: tls.server.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: tls.server.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: tls.server.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: tls.server.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: tls.server.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: tls.server.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: tls.server.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: tls.server.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.server.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: tls.server.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: tls.server.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.server.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: tls.server.x509.version_number + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: Normalized lowercase protocol name parsed from original string. + name: tls.version_protocol + type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/protocol.yml new file mode 100755 index 0000000000..d8264468d4 --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/fields/protocol.yml @@ -0,0 +1,173 @@ +- name: tls + type: group + fields: + - name: detailed + type: group + fields: + - name: version + type: keyword + description: > + The version of the TLS protocol used. + + example: "TLS 1.3" + - name: resumption_method + type: keyword + description: > + If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. + + - name: client_certificate_requested + type: boolean + description: > + Whether the server has requested the client to authenticate itself using a client certificate. + + - name: ocsp_response + type: keyword + description: > + The result of an OCSP request. + + - name: client_hello + type: group + fields: + - name: version + type: keyword + description: > + The version of the TLS protocol by which the client wishes to communicate during this session. + + - name: random + type: keyword + description: > + Random data used by the TLS protocol to generate the encryption key. + + - name: session_id + type: keyword + description: > + Unique number to identify the session for the corresponding connection with the client. + + - name: supported_compression_methods + type: keyword + description: > + The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml + + - name: extensions + type: group + description: The hello extensions provided by the client. + fields: + - name: server_name_indication + type: keyword + description: List of hostnames + - name: application_layer_protocol_negotiation + type: keyword + description: > + List of application-layer protocols the client is willing to use. + + - name: session_ticket + type: keyword + description: > + Length of the session ticket, if provided, or an empty string to advertise support for tickets. + + - name: supported_versions + type: keyword + description: > + List of TLS versions that the client is willing to use. + + - name: supported_groups + type: keyword + description: > + List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. + + - name: signature_algorithms + type: keyword + description: > + List of signature algorithms that may be use in digital signatures. + + - name: ec_points_formats + type: keyword + description: > + List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. + + - name: status_request + type: group + description: Status request made to the server. + fields: + - name: type + type: keyword + description: The type of the status request. Always "ocsp" if present. + - name: responder_id_list_length + type: short + description: The length of the list of trusted responders. + - name: request_extensions + type: short + description: The number of certificate extensions for the request. + - name: _unparsed_ + type: keyword + description: > + List of extensions that were left unparsed by Packetbeat. + + - name: server_hello + type: group + fields: + - name: version + type: keyword + description: > + The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. + + - name: random + type: keyword + description: > + Random data used by the TLS protocol to generate the encryption key. + + - name: selected_compression_method + type: keyword + description: > + The compression method selected by the server from the list provided in the client hello. + + - name: session_id + type: keyword + description: > + Unique number to identify the session for the corresponding connection with the client. + + - name: extensions + type: group + description: The hello extensions provided by the server. + fields: + - name: application_layer_protocol_negotiation + type: keyword + description: Negotiated application layer protocol + - name: session_ticket + type: keyword + description: > + Used to announce that a session ticket will be provided by the server. Always an empty string. + + - name: supported_versions + type: keyword + description: > + Negotiated TLS version to be used. + + - name: ec_points_formats + type: keyword + description: > + List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. + + - name: status_request + type: group + description: Status request made to the server. + fields: + - name: response + type: boolean + description: Whether a certificate status request response was made. + - name: _unparsed_ + type: keyword + description: > + List of extensions that were left unparsed by Packetbeat. + + - name: server_certificate_chain + type: array + description: Chain of trust for the server certificate. + - name: client_certificate_chain + type: array + description: Chain of trust for the client certificate. + - name: alert_types + type: keyword + description: > + An array containing the TLS alert type for every alert received. + diff --git a/packages/network_traffic/1.0.1/data_stream/tls/manifest.yml b/packages/network_traffic/1.0.1/data_stream/tls/manifest.yml new file mode 100755 index 0000000000..d2b8f403da --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/manifest.yml @@ -0,0 +1,67 @@ +title: TLS +release: beta +type: logs +streams: + - input: packet + vars: + - name: port + # currently the Kibana UI doesn't support multi inputs + # that are numeric, you get "Error: r.toLowerCase is not a function" + # so map this as text + type: text + multi: true + title: Ports + required: true + show_user: true + default: [443, 993, 995, 5223, 8443, 8883, 9243] + - name: fingerprints + type: text + title: Fingerprints + description: |- + List of hash algorithms to use to calculate certificates' fingerprints. + Valid values are `sha1`, `sha256` and `md5`. + show_user: false + multi: true + required: false + - name: send_certificates + type: bool + title: Send Certificates + description: |- + If this option is enabled, the client and server certificates and + certificate chains are sent to Elasticsearch. The default is true. + show_user: false + multi: false + required: false + - name: include_raw_certificates + type: bool + title: Include Raw Certificates + description: |- + If this option is enabled, the raw certificates will be stored + in PEM format under the `raw` key. The default is false. + show_user: false + multi: false + required: false + - name: keep_null + type: bool + title: Keep Null + description: Set to true to publish fields with null values in events. + show_user: false + multi: false + required: false + - name: processors + type: yaml + title: Processors + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + show_user: false + multi: false + required: false + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + show_user: false + multi: true + required: false + title: TLS + description: Capture TLS Traffic + template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/tls/sample_event.json b/packages/network_traffic/1.0.1/data_stream/tls/sample_event.json new file mode 100755 index 0000000000..f325b87dbb --- /dev/null +++ b/packages/network_traffic/1.0.1/data_stream/tls/sample_event.json @@ -0,0 +1,196 @@ +{ + "@timestamp": "2022-03-09T08:34:08.391Z", + "agent": { + "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "ip": "192.168.1.36", + "port": 60946 + }, + "data_stream": { + "dataset": "network_traffic.tls", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "play.google.com", + "ip": "216.58.201.174", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.tls", + "duration": 14861200, + "end": "2022-03-09T08:34:08.406Z", + "ingested": "2022-03-09T08:34:09Z", + "kind": "event", + "start": "2022-03-09T08:34:08.391Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "network": { + "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", + "direction": "unknown", + "protocol": "tls", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.1.36", + "216.58.201.174" + ] + }, + "server": { + "domain": "play.google.com", + "ip": "216.58.201.174", + "port": 443 + }, + "source": { + "ip": "192.168.1.36", + "port": 60946 + }, + "status": "OK", + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "ja3": "d470a3fa301d80227bc5650c75567d25", + "server_name": "play.google.com", + "supported_ciphers": [ + "TLS_AES_128_GCM_SHA256", + "TLS_CHACHA20_POLY1305_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + ] + }, + "detailed": { + "client_certificate_requested": false, + "client_hello": { + "extensions": { + "_unparsed_": [ + "23", + "renegotiation_info", + "status_request", + "51", + "45", + "28", + "41" + ], + "application_layer_protocol_negotiation": [ + "h2", + "http/1.1" + ], + "ec_points_formats": [ + "uncompressed" + ], + "server_name_indication": [ + "play.google.com" + ], + "signature_algorithms": [ + "ecdsa_secp256r1_sha256", + "ecdsa_secp384r1_sha384", + "ecdsa_secp521r1_sha512", + "rsa_pss_sha256", + "rsa_pss_sha384", + "rsa_pss_sha512", + "rsa_pkcs1_sha256", + "rsa_pkcs1_sha384", + "rsa_pkcs1_sha512", + "ecdsa_sha1", + "rsa_pkcs1_sha1" + ], + "supported_groups": [ + "x25519", + "secp256r1", + "secp384r1", + "secp521r1", + "ffdhe2048", + "ffdhe3072" + ], + "supported_versions": [ + "TLS 1.3", + "TLS 1.2", + "TLS 1.1", + "TLS 1.0" + ] + }, + "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "supported_compression_methods": [ + "NULL" + ], + "version": "3.3" + }, + "resumption_method": "id", + "server_hello": { + "extensions": { + "_unparsed_": [ + "41", + "51" + ], + "supported_versions": "TLS 1.3" + }, + "selected_compression_method": "NULL", + "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "version": "3.3" + }, + "version": "TLS 1.3" + }, + "established": true, + "resumed": true, + "version": "1.3", + "version_protocol": "tls" + }, + "type": "tls" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/docs/README.md b/packages/network_traffic/1.0.1/docs/README.md new file mode 100755 index 0000000000..adadb4cf1d --- /dev/null +++ b/packages/network_traffic/1.0.1/docs/README.md @@ -0,0 +1,3960 @@ +# Network Packet Capture Integration + +This integration sniffs network packets on a host and dissects +known protocols. + +## Network Flows + +Overall flow information about the network connections on a +host. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +## Protocols + +### AMQP + +Fields published for AMQP packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| amqp.app-id | Creating application id. | keyword | +| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | +| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | +| amqp.class-id | Failing method class. | long | +| amqp.consumer-count | The number of consumers of a queue. | long | +| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | +| amqp.content-encoding | MIME content encoding. | keyword | +| amqp.content-type | MIME content type. | keyword | +| amqp.correlation-id | Application correlation identifier. | keyword | +| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | +| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | +| amqp.durable | If set, request a durable exchange/queue. | boolean | +| amqp.exchange | Name of the exchange. | keyword | +| amqp.exchange-type | Exchange type. | keyword | +| amqp.exclusive | If set, request an exclusive queue. | boolean | +| amqp.expiration | Message expiration specification. | keyword | +| amqp.headers | Message header field table. | object | +| amqp.if-empty | Delete only if empty. | boolean | +| amqp.if-unused | Delete only if unused. | boolean | +| amqp.immediate | Request immediate delivery. | boolean | +| amqp.mandatory | Indicates mandatory routing. | boolean | +| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | +| amqp.message-id | Application message identifier. | keyword | +| amqp.method-id | Failing method ID. | long | +| amqp.multiple | Acknowledge multiple messages. | boolean | +| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | +| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | +| amqp.no-wait | If set, the server will not respond to the method. | boolean | +| amqp.passive | If set, do not create exchange/queue. | boolean | +| amqp.priority | Message priority, 0 to 9. | long | +| amqp.queue | The queue name identifies the queue within the vhost. | keyword | +| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | +| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | +| amqp.reply-text | Text explaining the error. | keyword | +| amqp.reply-to | Address to reply to. | keyword | +| amqp.routing-key | Message routing key. | keyword | +| amqp.timestamp | Message timestamp. | keyword | +| amqp.type | Message type name. | keyword | +| amqp.user-id | Creating user id. | keyword | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `amqp` looks as following: + +```json +{ + "@timestamp": "2022-03-09T07:37:02.033Z", + "agent": { + "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "amqp": { + "auto-delete": false, + "consumer-count": 0, + "durable": false, + "exclusive": false, + "message-count": 0, + "no-wait": false, + "passive": false, + "queue": "hello" + }, + "client": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 34222 + }, + "data_stream": { + "dataset": "network_traffic.amqp", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 26, + "ip": "127.0.0.1", + "port": 5672 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "amqp.queue.declare", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.amqp", + "duration": 1325900, + "end": "2022-03-09T07:37:02.035Z", + "ingested": "2022-03-09T07:37:03Z", + "kind": "event", + "start": "2022-03-09T07:37:02.033Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "queue.declare", + "network": { + "bytes": 51, + "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", + "direction": "ingress", + "protocol": "amqp", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 26, + "ip": "127.0.0.1", + "port": 5672 + }, + "source": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 34222 + }, + "status": "OK", + "type": "amqp" +} +``` + +### Cassandra + +Fields published for Apache Cassandra packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | +| cassandra.request.headers.flags | Flags applying to this frame. | keyword | +| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | +| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | +| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | +| cassandra.request.headers.version | The version of the protocol. | keyword | +| cassandra.request.query | The CQL query which client send to cassandra. | keyword | +| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | +| cassandra.response.error.code | The error code of the Cassandra response. | long | +| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | +| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | +| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | +| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | +| cassandra.response.error.details.function | The name of the failed function. | keyword | +| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | +| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | +| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | +| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | +| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | +| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | +| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | +| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | +| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | +| cassandra.response.error.type | The error type of the Cassandra response. | keyword | +| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | +| cassandra.response.event.host | Representing the node ip. | keyword | +| cassandra.response.event.port | Representing the node port. | long | +| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | +| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | +| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | +| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | +| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | +| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | +| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | +| cassandra.response.event.type | Representing the event type. | keyword | +| cassandra.response.headers.flags | Flags applying to this frame. | keyword | +| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | +| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | +| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | +| cassandra.response.headers.version | The version of the protocol. | keyword | +| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | +| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | +| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | +| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | +| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | +| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | +| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | +| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | +| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | +| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | +| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | +| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | +| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | +| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | +| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | +| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | +| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | +| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | +| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | +| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | +| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | +| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | +| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | +| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | +| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | +| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | +| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | +| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | +| cassandra.response.result.type | Cassandra result type. | keyword | +| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | +| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `cassandra` looks as following: + +```json +{ + "@timestamp": "2022-03-09T07:43:05.888Z", + "agent": { + "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "cassandra": { + "request": { + "headers": { + "flags": "Default", + "length": 98, + "op": "QUERY", + "stream": 49, + "version": "4" + }, + "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" + }, + "response": { + "headers": { + "flags": "Default", + "length": 39, + "op": "RESULT", + "stream": 49, + "version": "4" + }, + "result": { + "schema_change": { + "change": "CREATED", + "keyspace": "mykeyspace", + "object": "users", + "target": "TABLE" + }, + "type": "schemaChanged" + } + } + }, + "client": { + "bytes": 107, + "ip": "127.0.0.1", + "port": 52749 + }, + "data_stream": { + "dataset": "network_traffic.cassandra", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 48, + "ip": "127.0.0.1", + "port": 9042 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.cassandra", + "duration": 131589500, + "end": "2022-03-09T07:43:06.019Z", + "ingested": "2022-03-09T07:43:09Z", + "kind": "event", + "start": "2022-03-09T07:43:05.888Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "network": { + "bytes": 155, + "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", + "direction": "ingress", + "protocol": "cassandra", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 48, + "ip": "127.0.0.1", + "port": 9042 + }, + "source": { + "bytes": 107, + "ip": "127.0.0.1", + "port": 52749 + }, + "status": "OK", + "type": "cassandra" +} +``` + +### DHCP + +Fields published for DHCPv4 packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | +| dhcpv4.client_ip | The current IP address of the client. | ip | +| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | +| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | +| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | +| dhcpv4.hops | The number of hops the DHCP message went through. | long | +| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | +| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | +| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | +| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | +| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | +| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | +| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | +| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | +| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | +| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | +| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | +| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | +| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | +| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | +| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | +| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | +| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | +| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | +| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | +| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | +| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | +| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | +| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | +| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | +| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | +| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | +| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `dhcpv4` looks as following: + +```json +{ + "@timestamp": "2022-03-09T07:43:52.712Z", + "agent": { + "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 272, + "ip": "0.0.0.0", + "port": 68 + }, + "data_stream": { + "dataset": "network_traffic.dhcpv4", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "255.255.255.255", + "port": 67 + }, + "dhcpv4": { + "client_mac": "00-0B-82-01-FC-42", + "flags": "unicast", + "hardware_type": "Ethernet", + "hops": 0, + "op_code": "bootrequest", + "option": { + "message_type": "discover", + "parameter_request_list": [ + "Subnet Mask", + "Router", + "Domain Name Server", + "NTP Servers" + ], + "requested_ip_address": "0.0.0.0" + }, + "seconds": 0, + "transaction_id": "0x00003d1d" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.dhcpv4", + "ingested": "2022-03-09T07:43:53Z", + "kind": "event", + "start": "2022-03-09T07:43:52.712Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "network": { + "bytes": 272, + "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", + "direction": "unknown", + "protocol": "dhcpv4", + "transport": "udp", + "type": "ipv4" + }, + "related": { + "ip": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "server": { + "ip": "255.255.255.255", + "port": 67 + }, + "source": { + "bytes": 272, + "ip": "0.0.0.0", + "port": 68 + }, + "status": "OK", + "type": "dhcpv4" +} +``` + +### DNS + +Fields published for DNS packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | +| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | +| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.additionals.name | The domain name to which this resource record pertains. | keyword | +| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.additionals.type | The type of data contained in this resource record. | keyword | +| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | +| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | +| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | +| dns.authorities.name | The domain name to which this resource record pertains. | keyword | +| dns.authorities.type | The type of data contained in this resource record. | keyword | +| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | +| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | +| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | +| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | +| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | +| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | +| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | +| dns.opt.ext_rcode | Extended response code field. | keyword | +| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | +| dns.opt.version | The EDNS version. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `dns` looks as following: + +```json +{ + "@timestamp": "2022-03-09T07:48:42.751Z", + "agent": { + "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 28, + "ip": "192.168.238.68", + "port": 53765 + }, + "data_stream": { + "dataset": "network_traffic.dns", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 167, + "ip": "8.8.8.8", + "port": 53 + }, + "dns": { + "additionals_count": 0, + "answers": [ + { + "class": "IN", + "data": "ns-1183.awsdns-19.org", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + }, + { + "class": "IN", + "data": "ns-2007.awsdns-58.co.uk", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + }, + { + "class": "IN", + "data": "ns-66.awsdns-08.com", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + }, + { + "class": "IN", + "data": "ns-835.awsdns-40.net", + "name": "elastic.co", + "ttl": "21599", + "type": "NS" + } + ], + "answers_count": 4, + "authorities_count": 0, + "flags": { + "authentic_data": false, + "authoritative": false, + "checking_disabled": false, + "recursion_available": true, + "recursion_desired": true, + "truncated_response": false + }, + "header_flags": [ + "RD", + "RA" + ], + "id": 26187, + "op_code": "QUERY", + "question": { + "class": "IN", + "etld_plus_one": "elastic.co", + "name": "elastic.co", + "registered_domain": "elastic.co", + "top_level_domain": "co", + "type": "NS" + }, + "response_code": "NOERROR", + "type": "answer" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.dns", + "duration": 68515700, + "end": "2022-03-09T07:48:42.819Z", + "ingested": "2022-03-09T07:48:43Z", + "kind": "event", + "start": "2022-03-09T07:48:42.751Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "QUERY", + "network": { + "bytes": 195, + "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", + "direction": "unknown", + "protocol": "dns", + "transport": "udp", + "type": "ipv4" + }, + "query": "class IN, type NS, elastic.co", + "related": { + "ip": [ + "192.168.238.68", + "8.8.8.8" + ] + }, + "resource": "elastic.co", + "server": { + "bytes": 167, + "ip": "8.8.8.8", + "port": 53 + }, + "source": { + "bytes": 28, + "ip": "192.168.238.68", + "port": 53765 + }, + "status": "OK", + "type": "dns" +} +``` + +### HTTP + +Fields published for HTTP packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | +| http.response.status_code | HTTP response status code. | long | +| http.response.status_phrase | The HTTP status phrase. | keyword | +| http.version | HTTP version. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +An example event for `http` looks as following: + +```json +{ + "@timestamp": "2022-03-09T07:54:42.031Z", + "agent": { + "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 211, + "ip": "192.168.238.50", + "port": 64770 + }, + "data_stream": { + "dataset": "network_traffic.http", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 9108, + "domain": "packetbeat.com", + "ip": "107.170.1.22", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.http", + "duration": 141490400, + "end": "2022-03-09T07:54:42.172Z", + "ingested": "2022-03-09T07:54:43Z", + "kind": "event", + "start": "2022-03-09T07:54:42.031Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "http": { + "request": { + "body": { + "bytes": 55 + }, + "bytes": 211, + "headers": { + "content-length": 55, + "content-type": "application/x-www-form-urlencoded" + }, + "method": "POST" + }, + "response": { + "body": { + "bytes": 8936 + }, + "bytes": 9108, + "headers": { + "content-length": 8936, + "content-type": "text/html; charset=utf-8" + }, + "status_code": 404, + "status_phrase": "not found" + }, + "version": "1.1" + }, + "method": "POST", + "network": { + "bytes": 9319, + "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", + "direction": "unknown", + "protocol": "http", + "transport": "tcp", + "type": "ipv4" + }, + "query": "POST /register", + "related": { + "hosts": [ + "packetbeat.com" + ], + "ip": [ + "192.168.238.50", + "107.170.1.22" + ] + }, + "server": { + "bytes": 9108, + "domain": "packetbeat.com", + "ip": "107.170.1.22", + "port": 80 + }, + "source": { + "bytes": 211, + "ip": "192.168.238.50", + "port": 64770 + }, + "status": "Error", + "type": "http", + "url": { + "domain": "packetbeat.com", + "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", + "path": "/register", + "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", + "scheme": "http" + }, + "user_agent": { + "original": "curl/7.37.1" + } +} +``` + +### ICMP + +Fields published for ICMP packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| icmp.request.code | The request code. | long | +| icmp.request.message | A human readable form of the request. | keyword | +| icmp.request.type | The request type. | long | +| icmp.response.code | The response code. | long | +| icmp.response.message | A human readable form of the response. | keyword | +| icmp.response.type | The response type. | long | +| icmp.version | The version of the ICMP protocol. | long | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `icmp` looks as following: + +```json +{ + "@timestamp": "2022-03-09T07:57:32.766Z", + "agent": { + "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 4, + "ip": "::1" + }, + "data_stream": { + "dataset": "network_traffic.icmp", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 4, + "ip": "::2" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.icmp", + "duration": 13336600, + "end": "2022-03-09T07:57:32.779Z", + "ingested": "2022-03-09T07:57:36Z", + "kind": "event", + "start": "2022-03-09T07:57:32.766Z", + "type": [ + "connection" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "icmp": { + "request": { + "code": 0, + "message": "EchoRequest", + "type": 128 + }, + "response": { + "code": 0, + "message": "EchoReply", + "type": 129 + }, + "version": 6 + }, + "network": { + "bytes": 8, + "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", + "direction": "egress", + "transport": "ipv6-icmp", + "type": "ipv6" + }, + "path": "::2", + "related": { + "ip": [ + "::1", + "::2" + ] + }, + "server": { + "bytes": 4, + "ip": "::2" + }, + "source": { + "bytes": 4, + "ip": "::1" + }, + "status": "OK", + "type": "icmp" +} +``` + +### Memcached + +Fields published for Memcached packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | +| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | +| memcache.request.bytes | The byte count of the values being transferred. | long | +| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | +| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | +| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | +| memcache.request.delta | The counter increment/decrement delta value. | long | +| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | +| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | +| memcache.request.flags | The memcache command flags sent in the request (if present). | long | +| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | +| memcache.request.keys | The list of keys sent in the store or load commands. | array | +| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | +| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | +| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | +| memcache.request.opcode | The binary protocol message opcode name. | keyword | +| memcache.request.opcode_value | The binary protocol message opcode value. | long | +| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | +| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | +| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | +| memcache.request.source_class | The source class id in 'slab reassign' command. | long | +| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | +| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | +| memcache.request.vbucket | The vbucket index sent in the binary message. | long | +| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | +| memcache.response.bytes | The byte count of the values being transferred. | long | +| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | +| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | +| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | +| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | +| memcache.response.flags | The memcache message flags sent in the response (if present). | long | +| memcache.response.keys | The list of keys returned for the load command (if present). | array | +| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | +| memcache.response.opcode | The binary protocol message opcode name. | keyword | +| memcache.response.opcode_value | The binary protocol message opcode value. | long | +| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | +| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | +| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | +| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | +| memcache.response.value | The counter value returned by a counter operation. | long | +| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | +| memcache.response.version | The returned memcache version string. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `memcached` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:09:26.564Z", + "agent": { + "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "ip": "192.168.188.37", + "port": 65195 + }, + "data_stream": { + "dataset": "network_traffic.memcached", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 1064, + "ip": "192.168.188.38", + "port": 11211 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.memcached", + "ingested": "2022-03-09T08:09:37Z", + "kind": "event", + "start": "2022-03-09T08:09:26.564Z", + "type": [ + "connection", + "protocol" + ] + }, + "event.action": "memcache.store", + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "memcache": { + "protocol_type": "binary", + "request": { + "bytes": 1024, + "command": "set", + "count_values": 1, + "exptime": 0, + "flags": 0, + "keys": [ + "test_key" + ], + "opaque": 65536, + "opcode": "SetQ", + "opcode_value": 17, + "quiet": true, + "type": "Store", + "vbucket": 0 + } + }, + "network": { + "bytes": 1064, + "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", + "direction": "unknown", + "protocol": "memcache", + "transport": "udp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.188.37", + "192.168.188.38" + ] + }, + "server": { + "bytes": 1064, + "ip": "192.168.188.38", + "port": 11211 + }, + "source": { + "ip": "192.168.188.37", + "port": 65195 + }, + "status": "OK", + "type": "memcache" +} +``` + +### MongoDB + +Fields published for MongoDB packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | +| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | +| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | +| mongodb.numberReturned | The number of documents in the reply. | long | +| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | +| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | +| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | +| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | +| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | +| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | +| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `mongodb` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:15:48.570Z", + "agent": { + "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 50, + "ip": "127.0.0.1", + "port": 57203 + }, + "data_stream": { + "dataset": "network_traffic.mongodb", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 514, + "ip": "127.0.0.1", + "port": 27017 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.mongodb", + "duration": 1365900, + "end": "2022-03-09T08:15:48.571Z", + "ingested": "2022-03-09T08:15:49Z", + "kind": "event", + "start": "2022-03-09T08:15:48.570Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "find", + "mongodb": { + "cursorId": 0, + "fullCollectionName": "test.restaurants", + "numberReturned": 1, + "numberToReturn": 1, + "numberToSkip": 0, + "startingFrom": 0 + }, + "network": { + "bytes": 564, + "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", + "direction": "ingress", + "protocol": "mongodb", + "transport": "tcp", + "type": "ipv4" + }, + "query": "test.restaurants.find().limit(1)", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "resource": "test.restaurants", + "server": { + "bytes": 514, + "ip": "127.0.0.1", + "port": 27017 + }, + "source": { + "bytes": 50, + "ip": "127.0.0.1", + "port": 57203 + }, + "status": "OK", + "type": "mongodb" +} +``` + +### MySQL + +Fields published for MySQL packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | +| mysql.error_code | The error code returned by MySQL. | long | +| mysql.error_message | The error info message returned by MySQL. | keyword | +| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | +| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | +| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | +| mysql.query | The row mysql query as read from the transaction's request. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `mysql` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:20:44.667Z", + "agent": { + "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 23, + "ip": "127.0.0.1", + "port": 41517 + }, + "data_stream": { + "dataset": "network_traffic.mysql", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 3629, + "ip": "127.0.0.1", + "port": 3306 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.mysql", + "duration": 5532500, + "end": "2022-03-09T08:20:44.673Z", + "ingested": "2022-03-09T08:20:45Z", + "kind": "event", + "start": "2022-03-09T08:20:44.667Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "SELECT", + "mysql": { + "affected_rows": 0, + "insert_id": 0, + "num_fields": 3, + "num_rows": 15 + }, + "network": { + "bytes": 3652, + "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", + "direction": "ingress", + "protocol": "mysql", + "transport": "tcp", + "type": "ipv4" + }, + "path": "test.test", + "query": "select * from test", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 3629, + "ip": "127.0.0.1", + "port": 3306 + }, + "source": { + "bytes": 23, + "ip": "127.0.0.1", + "port": 41517 + }, + "status": "OK", + "type": "mysql" +} +``` + +### NFS + +Fields published for NFS packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| nfs.minor_version | NFS protocol minor version number. | long | +| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | +| nfs.status | NFS operation reply status. | keyword | +| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | +| nfs.version | NFS protocol version number. | long | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| rpc.auth_flavor | RPC authentication flavor. | keyword | +| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | +| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | +| rpc.cred.machinename | The name of the caller's machine. | keyword | +| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | +| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | +| rpc.status | RPC message reply status. | keyword | +| rpc.xid | RPC message transaction identifier. | keyword | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | +| user.id | Unique identifier of the user. | keyword | + + +An example event for `nfs` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:24:00.569Z", + "agent": { + "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 208, + "domain": "desycloud03.desy.de", + "ip": "131.169.5.156", + "port": 907 + }, + "data_stream": { + "dataset": "network_traffic.nfs", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 176, + "ip": "131.169.192.35", + "port": 2049 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "nfs.CLOSE", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.nfs", + "duration": 6573500, + "end": "2022-03-09T08:24:00.575Z", + "ingested": "2022-03-09T08:24:01Z", + "kind": "event", + "start": "2022-03-09T08:24:00.569Z", + "type": [ + "connection", + "protocol" + ] + }, + "group.id": 48, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "host.hostname": "desycloud03.desy.de", + "network": { + "bytes": 384, + "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", + "direction": "unknown", + "protocol": "nfsv4", + "transport": "tcp", + "type": "ipv4" + }, + "nfs": { + "minor_version": 1, + "opcode": "CLOSE", + "status": "NFS_OK", + "tag": "", + "version": 4 + }, + "related": { + "ip": [ + "131.169.5.156", + "131.169.192.35" + ] + }, + "rpc": { + "auth_flavor": "unix", + "cred": { + "gid": 48, + "gids": [ + 48 + ], + "machinename": "desycloud03.desy.de", + "stamp": 4308441, + "uid": 48 + }, + "status": "success", + "xid": "c3103fc1" + }, + "server": { + "bytes": 176, + "ip": "131.169.192.35", + "port": 2049 + }, + "source": { + "bytes": 208, + "domain": "desycloud03.desy.de", + "ip": "131.169.5.156", + "port": 907 + }, + "status": "OK", + "type": "nfs", + "user.id": 48 +} +``` + +### PostgreSQL + +Fields published for PostgreSQL packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| pgsql.error_code | The PostgreSQL error code. | keyword | +| pgsql.error_message | The PostgreSQL error message. | keyword | +| pgsql.error_severity | The PostgreSQL error severity. | keyword | +| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | +| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `pgsql` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:29:39.675Z", + "agent": { + "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 34, + "ip": "127.0.0.1", + "port": 34936 + }, + "data_stream": { + "dataset": "network_traffic.pgsql", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 3186, + "ip": "127.0.0.1", + "port": 5432 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.pgsql", + "duration": 2568100, + "end": "2022-03-09T08:29:39.678Z", + "ingested": "2022-03-09T08:29:40Z", + "kind": "event", + "start": "2022-03-09T08:29:39.675Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "SELECT", + "network": { + "bytes": 3220, + "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", + "direction": "ingress", + "protocol": "pgsql", + "transport": "tcp", + "type": "ipv4" + }, + "pgsql": { + "num_fields": 3, + "num_rows": 15 + }, + "query": "select * from long_response", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 3186, + "ip": "127.0.0.1", + "port": 5432 + }, + "source": { + "bytes": 34, + "ip": "127.0.0.1", + "port": 34936 + }, + "status": "OK", + "type": "pgsql" +} +``` + +### Redis + +Fields published for Redis packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | +| redis.return_value | The return value of the Redis command in a human readable format. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `redis` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:30:57.254Z", + "agent": { + "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 31, + "ip": "127.0.0.1", + "port": 32810 + }, + "data_stream": { + "dataset": "network_traffic.redis", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 5, + "ip": "127.0.0.1", + "port": 6380 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "redis.set", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.redis", + "duration": 1421600, + "end": "2022-03-09T08:30:57.256Z", + "ingested": "2022-03-09T08:30:58Z", + "kind": "event", + "start": "2022-03-09T08:30:57.254Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "SET", + "network": { + "bytes": 36, + "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", + "direction": "ingress", + "protocol": "redis", + "transport": "tcp", + "type": "ipv4" + }, + "query": "set key3 me", + "redis": { + "return_value": "OK" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "resource": "key3", + "server": { + "bytes": 5, + "ip": "127.0.0.1", + "port": 6380 + }, + "source": { + "bytes": 31, + "ip": "127.0.0.1", + "port": 32810 + }, + "status": "OK", + "type": "redis" +} +``` + +### SIP + +Fields published for SIP packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| sip.accept | Accept header value. | keyword | +| sip.allow | Allowed methods. | keyword | +| sip.auth.realm | Auth realm | keyword | +| sip.auth.scheme | Auth scheme | keyword | +| sip.auth.uri.host | Auth URI host | keyword | +| sip.auth.uri.original | Auth original URI | keyword | +| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | +| sip.auth.uri.port | Auth URI port | long | +| sip.auth.uri.scheme | Auth URI scheme | keyword | +| sip.call_id | Call ID. | keyword | +| sip.code | Response status code. | long | +| sip.contact.display_info | Contact display info | keyword | +| sip.contact.expires | Contact expires | keyword | +| sip.contact.line | Contact line | keyword | +| sip.contact.q | Contact Q | keyword | +| sip.contact.transport | Contact transport | keyword | +| sip.contact.uri.host | Contact URI host | keyword | +| sip.contact.uri.original | Contact original URI | keyword | +| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | +| sip.contact.uri.port | Contact URI port | long | +| sip.contact.uri.scheme | Contat URI scheme | keyword | +| sip.contact.uri.username | Contact URI user name | keyword | +| sip.content_length | | long | +| sip.content_type | | keyword | +| sip.cseq.code | Sequence code. | long | +| sip.cseq.method | Sequence method. | keyword | +| sip.from.display_info | From display info | keyword | +| sip.from.tag | From tag | keyword | +| sip.from.uri.host | From URI host | keyword | +| sip.from.uri.original | From original URI | keyword | +| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | +| sip.from.uri.port | From URI port | long | +| sip.from.uri.scheme | From URI scheme | keyword | +| sip.from.uri.username | From URI user name | keyword | +| sip.max_forwards | | long | +| sip.method | Request method. | keyword | +| sip.private.uri.host | Private URI host. | keyword | +| sip.private.uri.original | Private original URI. | keyword | +| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | +| sip.private.uri.port | Private URI port. | long | +| sip.private.uri.scheme | Private URI scheme. | keyword | +| sip.private.uri.username | Private URI user name. | keyword | +| sip.sdp.body.original | SDP original body | keyword | +| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | +| sip.sdp.connection.address | SDP connection address | keyword | +| sip.sdp.connection.info | SDP connection info | keyword | +| sip.sdp.owner.ip | SDP owner IP | ip | +| sip.sdp.owner.session_id | SDP owner session ID | keyword | +| sip.sdp.owner.username | SDP owner user name | keyword | +| sip.sdp.owner.version | SDP owner version | keyword | +| sip.sdp.session.name | SDP session name | keyword | +| sip.sdp.version | SDP version | keyword | +| sip.status | Response status phrase. | keyword | +| sip.supported | Supported methods. | keyword | +| sip.to.display_info | To display info | keyword | +| sip.to.tag | To tag | keyword | +| sip.to.uri.host | To URI host | keyword | +| sip.to.uri.original | To original URI | keyword | +| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | +| sip.to.uri.port | To URI port | long | +| sip.to.uri.scheme | To URI scheme | keyword | +| sip.to.uri.username | To URI user name | keyword | +| sip.type | Either request or response. | keyword | +| sip.uri.host | The URI host. | keyword | +| sip.uri.original | The original URI. | keyword | +| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | +| sip.uri.port | The URI port. | long | +| sip.uri.scheme | The URI scheme. | keyword | +| sip.uri.username | The URI user name. | keyword | +| sip.user_agent.original | | keyword | +| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | +| sip.version | SIP protocol version. | keyword | +| sip.via.original | The original Via value. | keyword | +| sip.via.original.text | Multi-field of `sip.via.original`. | text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +An example event for `sip` looks as following: + +```json +{ + "@timestamp": "2022-05-13T07:10:35.715Z", + "agent": { + "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", + "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.2.0" + }, + "client": { + "ip": "10.0.2.20", + "port": 5060 + }, + "data_stream": { + "dataset": "network_traffic.sip", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "10.0.2.15", + "port": 5060 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "sip-invite", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.sip", + "duration": 0, + "end": "2022-05-13T07:10:35.715Z", + "ingested": "2022-05-13T07:10:39Z", + "kind": "event", + "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", + "sequence": 1, + "start": "2022-05-13T07:10:35.715Z", + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "172.31.0.7" + ], + "mac": [ + "02-42-AC-1F-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "network": { + "application": "sip", + "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", + "direction": "unknown", + "iana_number": "17", + "protocol": "sip", + "transport": "udp", + "type": "ipv4" + }, + "related": { + "hosts": [ + "10.0.2.15", + "10.0.2.20" + ], + "ip": [ + "10.0.2.20", + "10.0.2.15" + ], + "user": [ + "test", + "sipp" + ] + }, + "server": { + "ip": "10.0.2.15", + "port": 5060 + }, + "sip": { + "call_id": "1-2187@10.0.2.20", + "contact": { + "display_info": "test", + "uri": { + "host": "10.0.2.15", + "original": "sip:test@10.0.2.15:5060", + "port": 5060, + "scheme": "sip", + "username": "test" + } + }, + "content_length": 123, + "content_type": "application/sdp", + "cseq": { + "code": 1, + "method": "INVITE" + }, + "from": { + "display_info": "DVI4/8000", + "tag": "1", + "uri": { + "host": "10.0.2.20", + "original": "sip:sipp@10.0.2.20:5060", + "port": 5060, + "scheme": "sip", + "username": "sipp" + } + }, + "max_forwards": 70, + "method": "INVITE", + "sdp": { + "body": { + "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" + }, + "connection": { + "address": "10.0.2.20", + "info": "IN IP4 10.0.2.20" + }, + "owner": { + "ip": "10.0.2.20", + "session_id": "42", + "version": "42" + }, + "version": "0" + }, + "to": { + "display_info": "test", + "uri": { + "host": "10.0.2.15", + "original": "sip:test@10.0.2.15:5060", + "port": 5060, + "scheme": "sip", + "username": "test" + } + }, + "type": "request", + "uri": { + "host": "10.0.2.15", + "original": "sip:test@10.0.2.15:5060", + "port": 5060, + "scheme": "sip", + "username": "test" + }, + "version": "2.0", + "via": { + "original": [ + "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" + ] + } + }, + "source": { + "ip": "10.0.2.20", + "port": 5060 + }, + "status": "OK", + "type": "sip" +} +``` + +### Thrift + +Fields published for Thrift packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | +| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | +| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | +| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `thrift` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:33:31.022Z", + "agent": { + "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 50919 + }, + "data_stream": { + "dataset": "network_traffic.thrift", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 9090 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.thrift", + "duration": 1394000, + "end": "2022-03-09T08:33:31.023Z", + "ingested": "2022-03-09T08:33:32Z", + "kind": "event", + "start": "2022-03-09T08:33:31.022Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "method": "testByte", + "network": { + "bytes": 50, + "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", + "direction": "ingress", + "protocol": "thrift", + "transport": "tcp", + "type": "ipv4" + }, + "path": "", + "query": "testByte(1: 63)", + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "server": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 9090 + }, + "source": { + "bytes": 25, + "ip": "127.0.0.1", + "port": 50919 + }, + "status": "OK", + "thrift": { + "params": "(1: 63)", + "return_value": "63" + }, + "type": "thrift" +} +``` + +### TLS + +Fields published for TLS packets. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.process.args | The command-line of the process that initiated the transaction. | keyword | +| client.process.executable | Absolute path to the client process executable. | keyword | +| client.process.name | The name of the process that initiated the transaction. | keyword | +| client.process.start | The time the client process started. | date | +| client.process.working_directory | The working directory of the client process. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | +| flow.id | Internal flow ID based on connection meta data and address. | keyword | +| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | +| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | +| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | +| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.process.args | The command-line of the process that served the transaction. | keyword | +| server.process.executable | Absolute path to the server process executable. | keyword | +| server.process.name | The name of the process that served the transaction. | keyword | +| server.process.start | The time the server process started. | date | +| server.process.working_directory | The working directory of the server process. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | +| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | +| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | +| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | +| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.country | List of country (C) codes | keyword | +| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.locality | List of locality names (L) | keyword | +| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.client.x509.public_key_size | The size of the public key space in bits. | long | +| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.client.x509.subject.country | List of country (C) code | keyword | +| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.client.x509.subject.locality | List of locality names (L) | keyword | +| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.version_number | Version of x509 format. | keyword | +| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | +| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | +| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | +| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | +| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | +| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | +| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | +| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | +| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | +| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | +| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | +| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | +| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | +| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | +| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | +| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | +| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | +| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | +| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | +| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | +| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | +| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | +| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | +| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | +| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | +| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | +| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | +| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | +| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | +| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | +| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | +| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | +| tls.detailed.version | The version of the TLS protocol used. | keyword | +| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | +| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | +| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | +| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | +| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | +| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | +| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | +| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.country | List of country (C) codes | keyword | +| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.locality | List of locality names (L) | keyword | +| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.server.x509.public_key_size | The size of the public key space in bits. | long | +| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.server.x509.subject.country | List of country (C) code | keyword | +| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.server.x509.subject.locality | List of locality names (L) | keyword | +| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.version_number | Version of x509 format. | keyword | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | +| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | + + +An example event for `tls` looks as following: + +```json +{ + "@timestamp": "2022-03-09T08:34:08.391Z", + "agent": { + "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "name": "docker-fleet-agent", + "type": "packetbeat", + "version": "8.0.0" + }, + "client": { + "ip": "192.168.1.36", + "port": 60946 + }, + "data_stream": { + "dataset": "network_traffic.tls", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "play.google.com", + "ip": "216.58.201.174", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "network_traffic.tls", + "duration": 14861200, + "end": "2022-03-09T08:34:08.406Z", + "ingested": "2022-03-09T08:34:09Z", + "kind": "event", + "start": "2022-03-09T08:34:08.391Z", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.176.7" + ], + "mac": [ + "02-42-C0-A8-B0-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.47-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "network": { + "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", + "direction": "unknown", + "protocol": "tls", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.1.36", + "216.58.201.174" + ] + }, + "server": { + "domain": "play.google.com", + "ip": "216.58.201.174", + "port": 443 + }, + "source": { + "ip": "192.168.1.36", + "port": 60946 + }, + "status": "OK", + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "client": { + "ja3": "d470a3fa301d80227bc5650c75567d25", + "server_name": "play.google.com", + "supported_ciphers": [ + "TLS_AES_128_GCM_SHA256", + "TLS_CHACHA20_POLY1305_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + ] + }, + "detailed": { + "client_certificate_requested": false, + "client_hello": { + "extensions": { + "_unparsed_": [ + "23", + "renegotiation_info", + "status_request", + "51", + "45", + "28", + "41" + ], + "application_layer_protocol_negotiation": [ + "h2", + "http/1.1" + ], + "ec_points_formats": [ + "uncompressed" + ], + "server_name_indication": [ + "play.google.com" + ], + "signature_algorithms": [ + "ecdsa_secp256r1_sha256", + "ecdsa_secp384r1_sha384", + "ecdsa_secp521r1_sha512", + "rsa_pss_sha256", + "rsa_pss_sha384", + "rsa_pss_sha512", + "rsa_pkcs1_sha256", + "rsa_pkcs1_sha384", + "rsa_pkcs1_sha512", + "ecdsa_sha1", + "rsa_pkcs1_sha1" + ], + "supported_groups": [ + "x25519", + "secp256r1", + "secp384r1", + "secp521r1", + "ffdhe2048", + "ffdhe3072" + ], + "supported_versions": [ + "TLS 1.3", + "TLS 1.2", + "TLS 1.1", + "TLS 1.0" + ] + }, + "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "supported_compression_methods": [ + "NULL" + ], + "version": "3.3" + }, + "resumption_method": "id", + "server_hello": { + "extensions": { + "_unparsed_": [ + "41", + "51" + ], + "supported_versions": "TLS 1.3" + }, + "selected_compression_method": "NULL", + "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "version": "3.3" + }, + "version": "TLS 1.3" + }, + "established": true, + "resumed": true, + "version": "1.3", + "version_protocol": "tls" + }, + "type": "tls" +} +``` + +## Licensing for Windows Systems + +The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json new file mode 100755 index 0000000000..16f534dd5e --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "Overview of DNS request and response metrics.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] DNS Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-dns-query-summary", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-dns-request-status-over-time", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-dns-question-types", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-dns-top-10-questions", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-dns-response-codes", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..7562508a09 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "DHCPv4 Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] DHCPv4", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", + "name": "5:panel_5", + "type": "search" + }, + { + "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", + "name": "8:panel_8", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-cassandra.json new file mode 100755 index 0000000000..489417c609 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-cassandra.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] Cassandra", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-cassandra-responsekeyspace", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-responsetype", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-responsetime", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-requestcount", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-ops", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-requestcountstackbytype", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-responsecountstackbytype", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-requestcountbytype", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-responsecountbytype", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "network_traffic-navigation", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "network_traffic-cassandra-queryview", + "name": "20:panel_20", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dashboard.json new file mode 100755 index 0000000000..c1dee3dfea --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dashboard.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "Network Packet Capture overview dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dashboard", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-web-transactions", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-db-transactions", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-response-times-percentiles", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-errors-count-over-time", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "network_traffic-errors-vs-successful-transactions", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "network_traffic-latency-histogram", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "network_traffic-response-times-repartition", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "network_traffic-navigation", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dns-unique-domains.json new file mode 100755 index 0000000000..d6f50f2545 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dns-unique-domains.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "description": "Detecting tunneling over DNS.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] DNS Tunneling", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dns-unique-domains", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-unique-fqdns-per-etld-1", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-unique-fqdns-per-etld-1-table", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-bytes-transferred-per-domain", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", + "name": "panel_3", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-flows.json new file mode 100755 index 0000000000..13b51d1106 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-flows.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] Network Flows", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-flows", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-top-hosts-creating-traffic", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-navigation", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-connections-over-time", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-top-hosts-receiving-traffic", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-network-traffic-between-your-hosts", + "name": "panel_4", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-http.json new file mode 100755 index 0000000000..0699eb175a --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-http.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] HTTP", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-http", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-web-transactions", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-http-error-codes", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-http-error-codes-evolution", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-navigation", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-total-number-of-http-transactions", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-http-codes-for-the-top-queries", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-top-10-http-requests", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mongodb-performance.json new file mode 100755 index 0000000000..76b41ed6ac --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mongodb-performance.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] MongoDB", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-performance", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-navigation", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-mongodb-errors", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-mongodb-commands", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-mongodb-errors-per-collection", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-mongodb-in-slash-out-throughput", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-mongodb-response-times-by-collection", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-top-slowest-mongodb-queries", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mysql-performance.json new file mode 100755 index 0000000000..6e51b19d93 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mysql-performance.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] MySQL performance", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-performance", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-errors", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-mysql-methods", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-navigation", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-mysql-throughput", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-most-frequent-mysql-queries", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-slowest-mysql-queries", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-mysql-response-times-percentiles", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "network_traffic-mysql-reads-vs-writes", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-nfs.json new file mode 100755 index 0000000000..2b9bfc8b82 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-nfs.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "NFSv3 and NFSv4 transactions over TCP.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] NFS", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs-clients-pie-chart", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-nfs-operations-area-chart", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-nfs-top-group-pie-chart", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-nfs-top-users-pie-chart", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-nfs-response-times", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-nfs-errors", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-nfs-operation-table", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "network_traffic-nfs-bytes-in-slash-out", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "network_traffic-navigation", + "name": "panel_8", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-pgsql-performance.json new file mode 100755 index 0000000000..462ad7a8be --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-pgsql-performance.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "description": "Postgres database query performance.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] PgSQL performance", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-performance", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-navigation", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "network_traffic-pgsql-errors", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-pgsql-methods", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-pgsql-response-times-percentiles", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-pgsql-throughput", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-pgsql-reads-vs-writes", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-most-frequent-pgsql-queries", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "network_traffic-slowest-pgsql-queries", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-thrift-performance.json new file mode 100755 index 0000000000..fe50a1efbd --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-thrift-performance.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] Thrift performance", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-thrift-performance", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-navigation", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "network_traffic-thrift-requests-per-minute", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "network_traffic-thrift-rpc-errors", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "network_traffic-slowest-thrift-rpc-methods", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-thrift-response-times-percentiles", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "network_traffic-top-thrift-rpc-methods", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "network_traffic-top-thrift-rpc-calls-with-errors", + "name": "7:panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-tls-sessions.json new file mode 100755 index 0000000000..876601f994 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-tls-sessions.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "[Network Packet Capture] TLS Sessions", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Network Packet Capture] TLS Sessions", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-tls-sessions", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-navigation", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", + "name": "19:panel_19", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json new file mode 100755 index 0000000000..afb21d2457 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] MongoDB errors", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json new file mode 100755 index 0000000000..67be55b24a --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] TLS Fingerprint", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json new file mode 100755 index 0000000000..6d16385a7d --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] HTTP Transactions Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json new file mode 100755 index 0000000000..438de0c09a --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] TLS Handshake Latency", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..b2320634bf --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Server Public Key Size", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..7851d8f875 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] TLS Server Name Indication", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..44b4e814c2 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "columns": [ + "dhcpv4.transaction_id", + "dhcpv4.op_code", + "dhcpv4.option.message_type", + "source.ip", + "destination.ip", + "dhcpv4.client_mac", + "dhcpv4.option.hostname", + "dhcpv4.option.class_identifier" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] DHCPv4", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..48114ab869 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] TLS Version", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-cassandra-queryview.json new file mode 100755 index 0000000000..4da4785f32 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-cassandra-queryview.json @@ -0,0 +1,46 @@ +{ + "attributes": { + "columns": [ + "cassandra.request.query", + "cassandra.response.result.rows.meta.keyspace", + "cassandra.response.result.rows.meta.table", + "cassandra.response.result.rows.num_rows" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Cassandra Query Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-queryview", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json new file mode 100755 index 0000000000..e042ed47b0 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json @@ -0,0 +1,41 @@ +{ + "attributes": { + "columns": [ + "server.ip", + "destination.ip", + "dns.question.name", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] DNS Protocol", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json new file mode 100755 index 0000000000..adda40afe3 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Cassandra Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..54ccb16243 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] TLS Sessions", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-flows-search.json new file mode 100755 index 0000000000..94bf5f31c0 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-flows-search.json @@ -0,0 +1,41 @@ +{ + "attributes": { + "columns": [ + "type", + "event.start", + "event.end", + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "source.bytes", + "destination.bytes" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Flows Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-flows-search", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json new file mode 100755 index 0000000000..f3f1e907c0 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status", + "query" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] MongoDB transactions with write concern 0", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-transactions-with-write-concern-0", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions.json new file mode 100755 index 0000000000..71fb0f7d06 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status", + "query" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] MongoDB Transaction Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-transactions", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-errors.json new file mode 100755 index 0000000000..e6696d3dfe --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-errors.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] MySQL Errors Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-errors", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-transactions.json new file mode 100755 index 0000000000..035e4af69f --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-transactions.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] MySQL Transactions", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-transactions", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs-errors-search.json new file mode 100755 index 0000000000..234a135c17 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs-errors-search.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] NFS Error Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-errors-search", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs.json new file mode 100755 index 0000000000..637ab8785a --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] NFS Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-errors.json new file mode 100755 index 0000000000..e1e696c06b --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-errors.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] PgSQL Errors Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-errors", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-transactions.json new file mode 100755 index 0000000000..4cf83e438b --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-transactions.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] PgSQL Transactions", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-transactions", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-search.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-search.json new file mode 100755 index 0000000000..b8dcde28ff --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-search.json @@ -0,0 +1,46 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "client.port", + "server.ip", + "server.port", + "data_stream.dataset", + "query", + "method", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-search", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-errors.json new file mode 100755 index 0000000000..4ada45ff68 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-errors.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Thrift Errors", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-thrift-errors", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-transactions.json new file mode 100755 index 0000000000..d561697995 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-transactions.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "method", + "type", + "path", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Thrift Transactions Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-thrift-transactions", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-transactions-errors.json new file mode 100755 index 0000000000..26f67d32a2 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/search/network_traffic-transactions-errors.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "client.port", + "server.ip", + "server.port", + "data_stream.dataset", + "query", + "method", + "event.duration", + "status" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Network Packet Capture] Transactions Errors Search", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-transactions-errors", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..72cce261f0 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Sessions", + "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..428c808c1b --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" + }, + "title": "[Network Packet Capture] Total Number of TLS Sessions", + "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json new file mode 100755 index 0000000000..3d5fc5d68c --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Server Certificates", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..a9a6b6d585 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Versions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..5c709d21ab --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DHCPv4 Client Count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json new file mode 100755 index 0000000000..238ff5fe1b --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Session Resume", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..28758eb761 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DHCPv4 Message Types", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json new file mode 100755 index 0000000000..dfd0b9c2df --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Cipher", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..69216a897d --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json new file mode 100755 index 0000000000..e347b89b8e --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..27390bc2a6 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" + }, + "title": "[Network Packet Capture] DHCPv4 Message Types over Time", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json new file mode 100755 index 0000000000..23e4ad24db --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Client Certificates", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..e100d4e38f --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Server Name Indication", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json new file mode 100755 index 0000000000..204f509a93 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Fingerprint", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..c8ca05e364 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Server Public Key Size", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json new file mode 100755 index 0000000000..7d805b99d1 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json new file mode 100755 index 0000000000..6b89c0127d --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Bytes Transferred per Domain", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-bytes-transferred-per-domain", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json new file mode 100755 index 0000000000..1b5f21f993 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" + }, + "title": "[Network Packet Capture] TLS Alerts", + "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-ops.json new file mode 100755 index 0000000000..fcdb742965 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-ops.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra Ops", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-ops", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcount.json new file mode 100755 index 0000000000..ac31b1fa2f --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcount.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra RequestCount", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-requestcount", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json new file mode 100755 index 0000000000..be3352be29 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra RequestCountByType", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-requestcountbytype", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json new file mode 100755 index 0000000000..9e1ebf6056 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra RequestCountStackByType", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-requestcountstackbytype", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json new file mode 100755 index 0000000000..17a71a0e30 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra ResponseCountByType", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-responsecountbytype", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json new file mode 100755 index 0000000000..ee9d47e2f6 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-responsecountstackbytype", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json new file mode 100755 index 0000000000..2f203d6dd9 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra ResponseKeyspace", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-responsekeyspace", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetime.json new file mode 100755 index 0000000000..152ebf53ef --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetime.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra ResponseTime", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-responsetime", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetype.json new file mode 100755 index 0000000000..85c2b4d398 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetype.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Cassandra ResponseType", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-cassandra-responsetype", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-connections-over-time.json new file mode 100755 index 0000000000..97d4affdf5 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-connections-over-time.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Connections over time", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-connections-over-time", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-flows-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..d8cedfb7c3 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DHCPv4 Transaction Count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json new file mode 100755 index 0000000000..856211710f --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] TLS Handshake Latency", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-db-transactions.json new file mode 100755 index 0000000000..475882f60d --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-db-transactions.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" + }, + "title": "[Network Packet Capture] Transaction Types", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-db-transactions", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json new file mode 100755 index 0000000000..333052a373 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" + }, + "title": "[Network Packet Capture] Top Domains by Data Volume", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-query-summary.json new file mode 100755 index 0000000000..1898c984d8 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-query-summary.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Query Summary", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dns-query-summary", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-question-types.json new file mode 100755 index 0000000000..b2a975b430 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-question-types.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Question Types", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dns-question-types", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-request-status-over-time.json new file mode 100755 index 0000000000..53c1b991c8 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-request-status-over-time.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Request Status Over Time", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dns-request-status-over-time", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-response-codes.json new file mode 100755 index 0000000000..b9edd3cab4 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-response-codes.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Response Codes", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dns-response-codes", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-top-10-questions.json new file mode 100755 index 0000000000..d86db94a8d --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-top-10-questions.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Top 10 Questions", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-dns-top-10-questions", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json new file mode 100755 index 0000000000..b89d822540 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DNS Transactions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-count-over-time.json new file mode 100755 index 0000000000..5582bc6c67 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-count-over-time.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Errors count over time", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-errors-count-over-time", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-transactions-errors", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json new file mode 100755 index 0000000000..c3ac23f5a7 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Errors vs successful transactions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-errors-vs-successful-transactions", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json new file mode 100755 index 0000000000..c0d680e520 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] DHCPv4 Data Transfer", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json new file mode 100755 index 0000000000..d8885cd43f --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] HTTP status codes for the top queries", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-http-codes-for-the-top-queries", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes-evolution.json new file mode 100755 index 0000000000..479733a2af --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes-evolution.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" + }, + "title": "[Network Packet Capture] HTTP error codes evolution", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-http-error-codes-evolution", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes.json new file mode 100755 index 0000000000..1cb90080fc --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" + }, + "title": "[Network Packet Capture] HTTP error codes", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-http-error-codes", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-latency-histogram.json new file mode 100755 index 0000000000..34aa0f3d11 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-latency-histogram.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Latency Histogram", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-latency-histogram", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-commands.json new file mode 100755 index 0000000000..87474df326 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-commands.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MongoDB Commands", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-commands", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mongodb-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json new file mode 100755 index 0000000000..ea23f3560f --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MongoDB errors per collection", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-errors-per-collection", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors.json new file mode 100755 index 0000000000..183ec66ef3 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MongoDB errors", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-errors", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json new file mode 100755 index 0000000000..74b8a6fd64 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MongoDB in/out throughput", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-in-slash-out-throughput", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mongodb-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json new file mode 100755 index 0000000000..0346b7b1cd --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MongoDB response times by collection", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mongodb-response-times-by-collection", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mongodb-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json new file mode 100755 index 0000000000..08c27fcecf --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Most frequent MySQL queries", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-most-frequent-mysql-queries", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json new file mode 100755 index 0000000000..6ddc08eafb --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Most frequent PgSQL queries", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-most-frequent-pgsql-queries", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-pgsql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-errors.json new file mode 100755 index 0000000000..25ded66860 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-errors.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MySQL Errors", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-errors", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-errors", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-methods.json new file mode 100755 index 0000000000..34e609f25b --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-methods.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MySQL Methods", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-methods", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json new file mode 100755 index 0000000000..4fece54090 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MySQL Reads vs Writes", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-reads-vs-writes", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json new file mode 100755 index 0000000000..add1156167 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Mysql response times percentiles", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-response-times-percentiles", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-throughput.json new file mode 100755 index 0000000000..fd67a3b714 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-throughput.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] MySQL throughput", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-mysql-throughput", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-navigation.json new file mode 100755 index 0000000000..958a4a7a7c --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-navigation.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "[Network Packet Capture] Navigation", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-navigation", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json new file mode 100755 index 0000000000..292355bbdf --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Traffic Between Hosts", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-network-traffic-between-your-hosts", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-flows-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json new file mode 100755 index 0000000000..8b550d78cf --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS Request / Response Sizes", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-bytes-in-slash-out", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json new file mode 100755 index 0000000000..4272f7571e --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS clients pie chart", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-clients-pie-chart", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-errors.json new file mode 100755 index 0000000000..f407f4153d --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-errors.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS errors", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-errors", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs-errors-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operation-table.json new file mode 100755 index 0000000000..56e28320c1 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operation-table.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS operation table", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-operation-table", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json new file mode 100755 index 0000000000..56cb538f8f --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS operations area chart", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-operations-area-chart", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-response-times.json new file mode 100755 index 0000000000..2ffaacd816 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-response-times.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS response times", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-response-times", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json new file mode 100755 index 0000000000..c1b2816c13 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS top group pie chart", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-top-group-pie-chart", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json new file mode 100755 index 0000000000..543bfe7058 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] NFS top users pie chart", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-nfs-top-users-pie-chart", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-nfs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json new file mode 100755 index 0000000000..770c776e13 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mongodb-transactions-with-write-concern-0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-errors.json new file mode 100755 index 0000000000..88a19443ff --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-errors.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] PgSQL Errors", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-errors", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-pgsql-errors", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-methods.json new file mode 100755 index 0000000000..e49215022c --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-methods.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] PgSQL Methods", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-methods", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-pgsql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json new file mode 100755 index 0000000000..60be8776dd --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] PgSQL Reads vs Writes", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-reads-vs-writes", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-pgsql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json new file mode 100755 index 0000000000..66eb8b3b8b --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] PgSQL response times percentiles", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-response-times-percentiles", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-pgsql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-throughput.json new file mode 100755 index 0000000000..aba4ebafd0 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-throughput.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] PgSQL Throughput", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-pgsql-throughput", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-pgsql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-percentiles.json new file mode 100755 index 0000000000..f43cfc0233 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-percentiles.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Response times percentiles", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-response-times-percentiles", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-repartition.json new file mode 100755 index 0000000000..2271bdb9a7 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-repartition.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Response times repartition", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-response-times-repartition", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-mysql-queries.json new file mode 100755 index 0000000000..9194c62aaa --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-mysql-queries.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Slowest MySQL queries", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-slowest-mysql-queries", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mysql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json new file mode 100755 index 0000000000..ce2d661459 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Slowest PgSQL Queries", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-slowest-pgsql-queries", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-pgsql-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json new file mode 100755 index 0000000000..777f4d7abe --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Slowest Thrift RPC methods", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-slowest-thrift-rpc-methods", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-thrift-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json new file mode 100755 index 0000000000..e9dee7461a --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Thrift requests per minute", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-thrift-requests-per-minute", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-thrift-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json new file mode 100755 index 0000000000..835ee06280 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Thrift response times percentiles", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-thrift-response-times-percentiles", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-thrift-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-rpc-errors.json new file mode 100755 index 0000000000..37e3e901fc --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-rpc-errors.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Thrift RPC Errors", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-thrift-rpc-errors", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-thrift-errors", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-10-http-requests.json new file mode 100755 index 0000000000..bb5c71dbfe --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-10-http-requests.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Top 10 HTTP requests", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-top-10-http-requests", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json new file mode 100755 index 0000000000..842f9f29ec --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Top Hosts Creating Traffic", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-top-hosts-creating-traffic", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-flows-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json new file mode 100755 index 0000000000..34f9d74be2 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Top Hosts Receiving Traffic", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-top-hosts-receiving-traffic", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-flows-search", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json new file mode 100755 index 0000000000..e39b39b7f9 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Top slowest MongoDB queries", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-top-slowest-mongodb-queries", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-mongodb-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json new file mode 100755 index 0000000000..3f7aee4851 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-top-thrift-rpc-calls-with-errors", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-thrift-errors", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json new file mode 100755 index 0000000000..8add979f7b --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Top Thrift-RPC methods ", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-top-thrift-rpc-methods", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-thrift-transactions", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json new file mode 100755 index 0000000000..77e8f9b41a --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Total number of HTTP transactions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-total-number-of-http-transactions", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json new file mode 100755 index 0000000000..93a9d62de2 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-unique-fqdns-per-etld-1-table", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json new file mode 100755 index 0000000000..e94d78a938 --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-unique-fqdns-per-etld-1", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-web-transactions.json new file mode 100755 index 0000000000..354ec98cef --- /dev/null +++ b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-web-transactions.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "[Network Packet Capture] HTTP Transactions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "network_traffic-web-transactions", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/manifest.yml b/packages/network_traffic/1.0.1/manifest.yml new file mode 100755 index 0000000000..b880e36b61 --- /dev/null +++ b/packages/network_traffic/1.0.1/manifest.yml @@ -0,0 +1,35 @@ +format_version: 1.0.0 +name: network_traffic +title: Network Packet Capture +version: 1.0.1 +license: basic +description: Capture and analyze network traffic from a host with Elastic Agent. +type: integration +categories: + - web +release: ga +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +policy_templates: + - name: network + title: Network Packet Capture + description: Capture network traffic + inputs: + - type: packet + title: Capture network traffic + description: Collecting network traffic + vars: + - name: interface + type: text + title: Interface + required: false + show_user: false + - name: processes + type: text + multi: true + title: Processes + description: Processes to monitor (this will act as a command line grep) + required: false + show_user: false +owner: + github: elastic/security-external-integrations diff --git a/packages/okta/1.7.0/changelog.yml b/packages/okta/1.7.0/changelog.yml new file mode 100755 index 0000000000..a47019c5ec --- /dev/null +++ b/packages/okta/1.7.0/changelog.yml @@ -0,0 +1,149 @@ +# newer versions go on top +- version: "1.7.0" + changes: + - description: Add flattened `okta.request.ip_chain.*` fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3326 +- version: "1.6.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "1.5.2" + changes: + - description: Handle invalid values in client.ipAddress + type: bugfix + link: https://github.com/elastic/integrations/pull/3010 +- version: "1.5.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.5.0" + changes: + - description: Increase the limit for the number of results in an API response. + type: enhancement + link: https://github.com/elastic/integrations/pull/2791 +- version: "1.4.1" + changes: + - description: Add missing field mapping for event.created. + type: enhancement + link: https://github.com/elastic/integrations/pull/2774 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2428 +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2264 +- version: "1.2.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2095 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1977 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1838 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1638 +- version: "1.1.3" + changes: + - description: Add proxy config + type: enhancement + link: https://github.com/elastic/integrations/pull/1648 +- version: "1.1.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1494 +- version: "1.1.1" + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1403 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.1" + changes: + - description: add missing `initial_interval` option to the manifest + type: bugfix + link: https://github.com/elastic/integrations/pull/1299 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1222 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1222 +- version: "0.6.0" + changes: + - description: Update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1067 +- version: "0.5.2" + changes: + - description: Add httpjson system tests and remove log input. + type: enhancement + link: https://github.com/elastic/integrations/pull/1034 +- version: "0.5.1" + changes: + - description: Make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/1009 +- version: "0.5.0" + changes: + - description: change okta.target to flattened type + type: enhancement + link: https://github.com/elastic/integrations/pull/899 +- version: "0.4.2" + changes: + - description: add fail_on_template_error on pagination + type: bugfix + link: https://github.com/elastic/integrations/pull/901 +- version: "0.4.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/861 +- version: "0.4.0" + changes: + - description: Moves edge processing to ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/759/ +- version: "0.3.1" + changes: + - description: Change kibana.version constraint to be more conservative. + type: bugfix + link: https://github.com/elastic/integrations/pull/749 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/232 diff --git a/packages/okta/1.7.0/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/1.7.0/data_stream/system/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..24a3d77d72 --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/agent/stream/httpjson.yml.hbs @@ -0,0 +1,56 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.rate_limit: + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' +request.transforms: + - set: + target: header.Authorization + value: "SSWS {{api_key}}" + - set: + target: url.params.limit + value: '1000' + - set: + target: url.params.since + value: "[[.cursor.published]]" + default: '[[formatDate (now (parseDuration "-{{initial_interval}}")) "RFC3339"]]' +response.pagination: + - set: + target: url.value + value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' + fail_on_template_error: true + +cursor: + published: + value: "[[.last_event.published]]" + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/okta/1.7.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/1.7.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..8b308e6173 --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,580 @@ +--- +description: Pipeline for Okta system logs. +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + - json: + field: event.original + target_field: json + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - convert: + field: json.uuid + target_field: _id + type: string + ignore_failure: true + if: ctx?.json?.uuid != null && ctx?.json?.uuid != "" + - date: + field: json.published + formats: + - ISO8601 + ignore_failure: true + - set: + field: event.kind + value: event + - rename: + field: json.displayMessage + target_field: okta.display_message + ignore_missing: true + ignore_failure: true + - rename: + field: json.eventType + target_field: okta.event_type + ignore_missing: true + ignore_failure: true + - append: + field: event.category + value: iam + if: | + ["group.user_membership.add","group.user_membership.remove", + "user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: configuration + if: | + ["policy.lifecycle.activate","policy.lifecycle.create", + "policy.lifecycle.deactivate","policy.lifecycle.delete", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.delete", + "application.lifecycle.create","application.lifecycle.delete", + "policy.rule.update","application.lifecycle.activate", + "application.lifecycle.deactivate","application.lifecycle.update"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: authentication + if: '["user.session.start","user.session.end","user.authentication.sso","policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - append: + field: event.category + value: session + if: '["user.session.start","user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: network + if: '["security.request.blocked"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: network + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation","security.request.blocked"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: start + if: '["user.session.start"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: end + if: '["user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: group + if: '["group.user_membership.add","group.user_membership.remove"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: user + if: | + ["user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend","user.authentication.sso", + "user.session.start","user.session.end","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: change + if: | + ["user.lifecycle.activate","user.lifecycle.deactivate", + "user.lifecycle.suspend","user.lifecycle.unsuspend", + "group.user_membership.add","group.user_membership.remove", + "policy.lifecycle.activate","policy.lifecycle.deactivate", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.update","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: creation + if: '["user.lifecycle.create","policy.lifecycle.create","application.lifecycle.create"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: deletion + if: '["policy.lifecycle.delete","application.lifecycle.delete"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: '["policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - rename: + field: json.uuid + target_field: okta.uuid + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.alternateId + target_field: okta.actor.alternate_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.displayName + target_field: okta.actor.display_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.id + target_field: okta.actor.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.type + target_field: okta.actor.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.device + target_field: okta.client.device + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.geolocation + target_field: client.geo.location + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.city + target_field: client.geo.city_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.state + target_field: client.geo.region_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.country + target_field: client.geo.country_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.id + target_field: okta.client.id + ignore_missing: true + ignore_failure: true + - convert: + field: json.client.ipAddress + target_field: okta.client.ip + type: ip + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.browser + target_field: okta.client.user_agent.browser + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.os + target_field: okta.client.user_agent.os + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.rawUserAgent + target_field: okta.client.user_agent.raw_user_agent + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.zone + target_field: okta.client.zone + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.reason + target_field: okta.outcome.reason + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.result + target_field: okta.outcome.result + ignore_missing: true + ignore_failure: true + - rename: + field: json.target + target_field: okta.target + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.id + target_field: okta.transaction.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.type + target_field: okta.transaction.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.deviceFingerprint + target_field: okta.debug_context.debug_data.device_fingerprint + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestId + target_field: okta.debug_context.debug_data.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestUri + target_field: okta.debug_context.debug_data.request_uri + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.threatSuspected + target_field: okta.debug_context.debug_data.threat_suspected + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.url + target_field: okta.debug_context.debug_data.url + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.authenticationProvider + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.authenticationStep + target_field: okta.authentication_context.authentication_step + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialProvider + target_field: okta.authentication_context.credential_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialType + target_field: okta.authentication_context.credential_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.externalSessionId + target_field: okta.authentication_context.external_session_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.interface + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.issuer + target_field: okta.authentication_context.issuer + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asNumber + target_field: okta.security_context.as.number + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asOrg + target_field: okta.security_context.as.organization.name + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.domain + target_field: okta.security_context.domain + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isProxy + target_field: okta.security_context.is_proxy + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isp + target_field: okta.security_context.isp + ignore_missing: true + ignore_failure: true + - rename: + field: json.request.ipChain + target_field: okta.request.ip_chain + ignore_missing: true + ignore_failure: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographicalContext + target_field: _ingest._value.geographical_context + ignore_missing: true + ignore_failure: true + ignore_missing: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographical_context.postalCode + target_field: _ingest._value.geographical_context.postal_code + ignore_missing: true + ignore_failure: true + ignore_missing: true + - convert: + field: okta.client.user_agent.raw_user_agent + target_field: user_agent.original + type: string + ignore_failure: true + - set: + field: client.ip + copy_from: okta.client.ip + if: ctx?.okta?.client?.ip != null + - set: + field: source.ip + copy_from: okta.client.ip + if: ctx?.okta?.client?.ip != null + - convert: + field: okta.event_type + target_field: event.action + type: string + ignore_failure: true + - convert: + field: okta.security_context.as.number + target_field: client.as.number + type: string + ignore_failure: true + - convert: + field: okta.security_context.as.organization.name + target_field: client.as.organization.name + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: client.domain + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: source.domain + type: string + ignore_failure: true + - convert: + field: okta.uuid + target_field: event.id + type: string + ignore_failure: true + - lowercase: + field: okta.outcome.result + target_field: okta.outcome.result_lower + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "success" || ctx?.okta?.outcome?.result_lower == "allow") + - set: + field: event.outcome + value: failure + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "failure" || ctx?.okta?.outcome?.result_lower == "deny") + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + - remove: + field: okta.outcome.result_lower + ignore_missing: true + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + arr[i]["alternate_id"] = arr[i]["alternateId"]; + arr[i].remove("alternateId"); + arr[i]["display_name"] = arr[i]["displayName"]; + arr[i].remove("displayName"); + arr[i].remove("detailEntry"); + } + } + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("user")) { + ctx["okta_target_user"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("user.") + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("group")) { + ctx["okta_target_group"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("group.") + - rename: + field: okta_target_user.display_name + target_field: user.target.full_name + ignore_missing: true + - rename: + field: okta_target_user.id + target_field: user.target.id + ignore_missing: true + - rename: + field: okta_target_user.login + target_field: user.target.email + ignore_missing: true + - rename: + field: okta_target_group.display_name + target_field: user.target.group.name + ignore_missing: true + - rename: + field: okta_target_group.id + target_field: user.target.group.id + ignore_missing: true + - remove: + field: + - okta_target_user + - okta_target_group + ignore_missing: true + - set: + field: client.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: source.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: client.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: source.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{okta.actor.display_name}}" + allow_duplicates: false + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{user.target.full_name}}" + allow_duplicates: false + if: ctx?.user?.target?.full_name != null + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null + - remove: + field: json + ignore_missing: true + - user_agent: + field: user_agent.original + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/okta/1.7.0/data_stream/system/fields/agent.yml b/packages/okta/1.7.0/data_stream/system/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/okta/1.7.0/data_stream/system/fields/base-fields.yml b/packages/okta/1.7.0/data_stream/system/fields/base-fields.yml new file mode 100755 index 0000000000..915728ae0c --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: okta +- name: event.dataset + type: constant_keyword + description: Event dataset + value: okta.system +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/okta/1.7.0/data_stream/system/fields/beats.yml b/packages/okta/1.7.0/data_stream/system/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/okta/1.7.0/data_stream/system/fields/ecs.yml b/packages/okta/1.7.0/data_stream/system/fields/ecs.yml new file mode 100755 index 0000000000..70ee18f075 --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/fields/ecs.yml @@ -0,0 +1,300 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: client.geo.location + type: geo_point +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Unique container id. + name: container.id + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.target.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/okta/1.7.0/data_stream/system/fields/fields.yml b/packages/okta/1.7.0/data_stream/system/fields/fields.yml new file mode 100755 index 0000000000..4ec76b884f --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/fields/fields.yml @@ -0,0 +1,262 @@ +- name: okta.uuid + title: UUID + type: keyword + description: | + The unique identifier of the Okta LogEvent. +- name: okta.event_type + title: Event Type + type: keyword + description: | + The type of the LogEvent. +- name: okta.version + title: Version + type: keyword + description: | + The version of the LogEvent. +- name: okta.severity + title: Severity + type: keyword + description: | + The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. +- name: okta.display_message + title: Display Message + type: keyword + description: | + The display message of the LogEvent. +- name: okta.actor + title: Actor + type: group + fields: + - name: id + type: keyword + description: | + Identifier of the actor. + - name: type + type: keyword + description: | + Type of the actor. + - name: alternate_id + type: keyword + description: | + Alternate identifier of the actor. + - name: display_name + type: keyword + description: | + Display name of the actor. +- name: okta.client + title: Client + type: group + fields: + - name: ip + type: ip + description: | + The IP address of the client. + - name: user_agent + type: group + fields: + - name: raw_user_agent + type: keyword + description: | + The raw informaton of the user agent. + - name: os + type: keyword + description: | + The OS informaton. + - name: browser + type: keyword + description: | + The browser informaton of the client. + - name: zone + type: keyword + description: | + The zone information of the client. + - name: device + type: keyword + description: | + The information of the client device. + - name: id + type: keyword + description: | + The identifier of the client. +- name: okta.outcome + title: Outcome of the LogEvent. + type: group + fields: + - name: reason + type: keyword + description: | + The reason of the outcome. + - name: result + type: keyword + description: | + The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. +- name: okta.target + title: Target + type: flattened + description: | + The list of targets. + fields: + - name: id + type: keyword + description: | + Identifier of the actor. + - name: type + type: keyword + description: | + Type of the actor. + - name: alternate_id + type: keyword + description: | + Alternate identifier of the actor. + - name: display_name + type: keyword + description: | + Display name of the actor. +- name: okta.transaction + title: Transaction + type: group + fields: + - name: id + type: keyword + description: | + Identifier of the transaction. + - name: type + type: keyword + description: | + The type of transaction. Must be one of "WEB", "JOB". +- name: okta.debug_context + title: Debug Context + type: group + fields: + - name: debug_data + type: group + fields: + - name: device_fingerprint + type: keyword + description: | + The fingerprint of the device. + - name: request_id + type: keyword + description: | + The identifier of the request. + - name: request_uri + type: keyword + description: | + The request URI. + - name: threat_suspected + type: keyword + description: | + Threat suspected. + - name: url + type: keyword + description: | + The URL. +- name: okta.authentication_context + title: Authentication Context + type: group + fields: + - name: authentication_provider + type: keyword + description: | + The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + - name: authentication_step + type: integer + description: | + The authentication step. + - name: credential_provider + type: keyword + description: | + The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + - name: credential_type + type: keyword + description: | + The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + - name: issuer + type: array + description: | + The information about the issuer. + fields: + - name: id + type: keyword + description: | + The identifier of the issuer. + - name: type + type: keyword + description: | + The type of the issuer. + - name: external_session_id + type: keyword + description: | + The session identifer of the external session if any. + - name: interface + type: keyword + description: | + The interface used. e.g., Outlook, Office365, wsTrust +- name: okta.security_context + title: Security Context + type: group + fields: + - name: as + type: group + fields: + - name: number + type: integer + description: | + The AS number. + - name: organization + type: group + fields: + - name: name + type: keyword + description: | + The organization name. + - name: isp + type: keyword + description: | + The Internet Service Provider. + - name: domain + type: keyword + description: | + The domain name. + - name: is_proxy + type: boolean + description: | + Whether it is a proxy or not. +- name: okta.request + title: Request + type: group + fields: + - name: ip_chain + type: flattened + fields: + - name: ip + type: ip + description: | + IP address. + - name: version + type: keyword + description: | + IP version. Must be one of V4, V6. + - name: source + type: keyword + description: | + Source information. + - name: geographical_context + type: group + fields: + - name: city + type: keyword + description: The city. + - name: state + type: keyword + description: The state. + - name: postal_code + type: keyword + description: The postal code. + - name: country + type: keyword + description: The country. + - name: geolocation + type: geo_point + description: | + Geolocation information. diff --git a/packages/okta/1.7.0/data_stream/system/manifest.yml b/packages/okta/1.7.0/data_stream/system/manifest.yml new file mode 100755 index 0000000000..442cc16cd2 --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Okta system logs +streams: + - input: httpjson + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - okta-system + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Okta system logs + description: Collect Okta system logs diff --git a/packages/okta/1.7.0/data_stream/system/sample_event.json b/packages/okta/1.7.0/data_stream/system/sample_event.json new file mode 100755 index 0000000000..19b6200940 --- /dev/null +++ b/packages/okta/1.7.0/data_stream/system/sample_event.json @@ -0,0 +1,139 @@ +{ + "@timestamp": "2020-02-14T20:18:57.718Z", + "agent": { + "ephemeral_id": "ef00e489-67a9-4e8f-999c-81305f2350f5", + "hostname": "docker-fleet-agent", + "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "data_stream": { + "dataset": "okta.system", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "user.session.start", + "agent_id_status": "verified", + "category": [ + "authentication", + "session" + ], + "created": "2022-04-07T02:23:26.399Z", + "dataset": "okta.system", + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "ingested": "2022-04-07T02:23:27Z", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "user" + ] + }, + "input": { + "type": "httpjson" + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "108.255.197.247", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "108.255.197.247" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "okta-system" + ], + "user": { + "full_name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } +} \ No newline at end of file diff --git a/packages/okta/1.7.0/docs/README.md b/packages/okta/1.7.0/docs/README.md new file mode 100755 index 0000000000..dc66e020ab --- /dev/null +++ b/packages/okta/1.7.0/docs/README.md @@ -0,0 +1,330 @@ +# Okta Integration + +The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API. + +## Logs + +### System + +The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta. + +An example event for `system` looks as following: + +```json +{ + "@timestamp": "2020-02-14T20:18:57.718Z", + "agent": { + "ephemeral_id": "ef00e489-67a9-4e8f-999c-81305f2350f5", + "hostname": "docker-fleet-agent", + "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "data_stream": { + "dataset": "okta.system", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "user.session.start", + "agent_id_status": "verified", + "category": [ + "authentication", + "session" + ], + "created": "2022-04-07T02:23:26.399Z", + "dataset": "okta.system", + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "ingested": "2022-04-07T02:23:27Z", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "user" + ] + }, + "input": { + "type": "httpjson" + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "108.255.197.247", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "108.255.197.247" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "okta-system" + ], + "user": { + "full_name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| okta.actor.alternate_id | Alternate identifier of the actor. | keyword | +| okta.actor.display_name | Display name of the actor. | keyword | +| okta.actor.id | Identifier of the actor. | keyword | +| okta.actor.type | Type of the actor. | keyword | +| okta.authentication_context.authentication_provider | The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. | keyword | +| okta.authentication_context.authentication_step | The authentication step. | integer | +| okta.authentication_context.credential_provider | The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. | keyword | +| okta.authentication_context.credential_type | The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. | keyword | +| okta.authentication_context.external_session_id | The session identifer of the external session if any. | keyword | +| okta.authentication_context.interface | The interface used. e.g., Outlook, Office365, wsTrust | keyword | +| okta.authentication_context.issuer.id | The identifier of the issuer. | keyword | +| okta.authentication_context.issuer.type | The type of the issuer. | keyword | +| okta.client.device | The information of the client device. | keyword | +| okta.client.id | The identifier of the client. | keyword | +| okta.client.ip | The IP address of the client. | ip | +| okta.client.user_agent.browser | The browser informaton of the client. | keyword | +| okta.client.user_agent.os | The OS informaton. | keyword | +| okta.client.user_agent.raw_user_agent | The raw informaton of the user agent. | keyword | +| okta.client.zone | The zone information of the client. | keyword | +| okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword | +| okta.debug_context.debug_data.request_id | The identifier of the request. | keyword | +| okta.debug_context.debug_data.request_uri | The request URI. | keyword | +| okta.debug_context.debug_data.threat_suspected | Threat suspected. | keyword | +| okta.debug_context.debug_data.url | The URL. | keyword | +| okta.display_message | The display message of the LogEvent. | keyword | +| okta.event_type | The type of the LogEvent. | keyword | +| okta.outcome.reason | The reason of the outcome. | keyword | +| okta.outcome.result | The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. | keyword | +| okta.request.ip_chain.geographical_context.city | The city. | keyword | +| okta.request.ip_chain.geographical_context.country | The country. | keyword | +| okta.request.ip_chain.geographical_context.geolocation | Geolocation information. | geo_point | +| okta.request.ip_chain.geographical_context.postal_code | The postal code. | keyword | +| okta.request.ip_chain.geographical_context.state | The state. | keyword | +| okta.request.ip_chain.ip | IP address. | ip | +| okta.request.ip_chain.source | Source information. | keyword | +| okta.request.ip_chain.version | IP version. Must be one of V4, V6. | keyword | +| okta.security_context.as.number | The AS number. | integer | +| okta.security_context.as.organization.name | The organization name. | keyword | +| okta.security_context.domain | The domain name. | keyword | +| okta.security_context.is_proxy | Whether it is a proxy or not. | boolean | +| okta.security_context.isp | The Internet Service Provider. | keyword | +| okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword | +| okta.target.alternate_id | Alternate identifier of the actor. | keyword | +| okta.target.display_name | Display name of the actor. | keyword | +| okta.target.id | Identifier of the actor. | keyword | +| okta.target.type | Type of the actor. | keyword | +| okta.transaction.id | Identifier of the transaction. | keyword | +| okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword | +| okta.uuid | The unique identifier of the Okta LogEvent. | keyword | +| okta.version | The version of the LogEvent. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.id | Unique identifier of the user. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/okta/1.7.0/img/filebeat-okta-dashboard.png b/packages/okta/1.7.0/img/filebeat-okta-dashboard.png new file mode 100755 index 0000000000..6a28b4363b Binary files /dev/null and b/packages/okta/1.7.0/img/filebeat-okta-dashboard.png differ diff --git a/packages/okta/1.7.0/img/okta-logo.svg b/packages/okta/1.7.0/img/okta-logo.svg new file mode 100755 index 0000000000..d806cb7dc6 --- /dev/null +++ b/packages/okta/1.7.0/img/okta-logo.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/okta/1.7.0/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.7.0/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..d8725c4d60 --- /dev/null +++ b/packages/okta/1.7.0/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json @@ -0,0 +1,54 @@ +{ + "attributes": { + "description": "Logs Okta integration Kibana dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":26.54701,\"lon\":-44.69098,\"zoom\":2.75},\"openTOCDetails\":[]},\"gridData\":{\"h\":22,\"i\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"w\":10,\"x\":0,\"y\":22},\"panelIndex\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"w\":9,\"x\":10,\"y\":22},\"panelIndex\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"w\":19,\"x\":29,\"y\":22},\"panelIndex\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"w\":10,\"x\":19,\"y\":22},\"panelIndex\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs Okta] Overview", + "version": 1 + }, + "id": "okta-749203a0-67b1-11ea-a76f-bf44814e437d", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", + "name": "panel_0", + "type": "map" + }, + { + "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", + "name": "panel_5", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/okta/1.7.0/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.7.0/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..916a10ca30 --- /dev/null +++ b/packages/okta/1.7.0/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":false,\"geoField\":\"client.geo.location\",\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":26.54701,\"lon\":-44.69098},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"zoom\":2.75}", + "title": "Geolocation [Logs Okta]", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", + "migrationVersion": { + "map": "7.9.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map" +} \ No newline at end of file diff --git a/packages/okta/1.7.0/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json b/packages/okta/1.7.0/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..35112753e0 --- /dev/null +++ b/packages/okta/1.7.0/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"FAILURE\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"FAILURE\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ], + [ + "event.created", + "desc" + ] + ], + "title": "Okta Failure Events", + "version": 1 + }, + "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/okta/1.7.0/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json b/packages/okta/1.7.0/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..e31342b53d --- /dev/null +++ b/packages/okta/1.7.0/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Actor Types [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.actor.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Actor Types [Logs Okta]\",\"type\":\"pie\"}" + }, + "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.7.0/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json b/packages/okta/1.7.0/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..c1c400b37c --- /dev/null +++ b/packages/okta/1.7.0/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Event Outcome [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Outcome [Logs Okta]\",\"type\":\"pie\"}" + }, + "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.7.0/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.7.0/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..beb76986ed --- /dev/null +++ b/packages/okta/1.7.0/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Transaction Types [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.transaction.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Transaction Types [Logs Okta]\",\"type\":\"pie\"}" + }, + "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.7.0/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.7.0/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..4e314cfd4c --- /dev/null +++ b/packages/okta/1.7.0/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json @@ -0,0 +1,21 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Time Series [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"abd68650-67c6-11ea-8c7d-ed286611413e\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Time Series [Logs Okta]\",\"type\":\"metrics\"}" + }, + "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.7.0/manifest.yml b/packages/okta/1.7.0/manifest.yml new file mode 100755 index 0000000000..90fa9e2761 --- /dev/null +++ b/packages/okta/1.7.0/manifest.yml @@ -0,0 +1,77 @@ +name: okta +title: Okta Logs +version: 1.7.0 +release: ga +description: Collect and parse event logs from Okta API with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^7.14.0 || ^8.0.0 +icons: + - src: /img/okta-logo.svg + title: Okta + size: 216x216 + type: image/svg+xml +screenshots: + - src: /img/filebeat-okta-dashboard.png + title: Okta Dashboard + size: 1024x662 + type: image/png +policy_templates: + - name: okta + title: Okta logs + description: Collect logs from Okta + inputs: + - type: httpjson + vars: + - name: api_key + type: text + title: API Key + multi: false + required: false + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: true + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 60s + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: true + - name: url + type: text + title: Okta System Log API Url + multi: false + required: false + show_user: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + title: "Collect Okta logs via API" + description: "Collecting logs from Okta via API" +owner: + github: elastic/security-external-integrations diff --git a/packages/oracle/1.0.2/changelog.yml b/packages/oracle/1.0.2/changelog.yml new file mode 100755 index 0000000000..392df213ae --- /dev/null +++ b/packages/oracle/1.0.2/changelog.yml @@ -0,0 +1,16 @@ +# newer versions go on top +- version: "1.0.2" + changes: + - description: Supporting the double digit date parsing in ingest pipeline for oracle logs + type: bugfix + link: https://github.com/elastic/integrations/pull/3318 +- version: "1.0.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.0.0" + changes: + - description: Initial Release + type: enhancement + link: https://github.com/elastic/integrations/pull/2721 diff --git a/packages/oracle/1.0.2/data_stream/database_audit/agent/stream/stream.yml.hbs b/packages/oracle/1.0.2/data_stream/database_audit/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..3eeb00bc7f --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/agent/stream/stream.yml.hbs @@ -0,0 +1,28 @@ +paths: +{{#each paths}} +- {{this}} +{{/each}} +parsers: +- multiline: + type: pattern + pattern: '^[A-Za-z]{3}\s+[A-Za-z]{3}\s+[0-9]{1,2}\s[0-9]{2}:[0-9]{2}:[0-9]{2}\s[0-9]{4}\s\S[0-9]{2}:[0-9]{2}' + negate: true + match: after + timeout: 10 +exclude_lines: ['^Audit file'] +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +exclude_files: [".gz$"] +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/oracle/1.0.2/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.0.2/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..c308c66d0c --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,215 @@ +--- +description: Pipeline for parsing Oracle Audit logs +processors: + - set: + field: ecs.version + value: "8.0.0" + - set: + field: event.action + value: database_audit + - set: + field: event.kind + value: event + - set: + field: event.category + value: database + - set: + field: event.type + value: access + - set: + field: event.outcome + value: success + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" + - kv: + field: audit + field_split: "\\\n(?=[a-zA-Z])" + value_split: ":\\S\\d+\\S(?= ')" + trim_value: " '" + trim_key: " " + prefix: oracle.database_audit. + - grok: + field: log.file.path + patterns: + - "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" + if: ctx.log?.file?.path != null + # All field names are uppercase by default, converts them to lowercase + - script: + source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" + lang: painless + # Replace all field names that has spaces in them with _ + - script: + lang: painless + source: "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" + - gsub: + field: "oracle.database_audit.action" + pattern: "\\n" + replacement: "" + - gsub: + field: "oracle.database_audit.action" + pattern: "\\s{2,}" + replacement: " " + - trim: + field: "oracle.database_audit.action_number" + ignore_missing: true + # Removes all null values from ctx.* + - script: + lang: painless + if: ctx?.oracle?.database_audit != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v instanceof String && v.isEmpty() == true); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: + - "@timestamp" + ignore_missing: true + - date: + field: tmp_timestamp + target_field: "@timestamp" + formats: + - EEE MMM [ d][dd] HH:mm:ss uuuu XXX + - grok: + field: tmp_timestamp + patterns: + - "%{ISO8601_TIMEZONE:event.timezone}$" + - rename: + field: oracle.database_audit.privilege + target_field: user.roles + ignore_missing: true + - rename: + field: LENGTH + target_field: oracle.database_audit.length + ignore_missing: true + - rename: + field: oracle.database_audit.client_user + target_field: client.user.name + ignore_missing: true + - rename: + field: oracle.database_audit.client_address + target_field: client.address + ignore_missing: true + - rename: + field: oracle.database_audit.userhost + target_field: server.address + ignore_missing: true + - rename: + field: oracle.database_audit.database_user + target_field: server.user.name + ignore_missing: true + - convert: + field: oracle.database_audit.length + type: long + ignore_missing: true + - grok: + field: client.address + patterns: + - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" + ignore_failure: true + ignore_missing: true + - grok: + field: server.address + patterns: + - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" + ignore_failure: true + ignore_missing: true + # Renaming certain fields for better data structure + - rename: + field: oracle.database_audit.sessionid + target_field: oracle.database_audit.session_id + ignore_missing: true + - rename: + field: oracle.database_audit.client_terminal + target_field: oracle.database_audit.client.terminal + ignore_missing: true + - rename: + field: oracle.database_audit.client_address + target_field: oracle.database_audit.client.address + ignore_missing: true + - rename: + field: oracle.database_audit.database_user + target_field: oracle.database_audit.database.user + ignore_missing: true + - rename: + field: oracle.database_audit.userhost + target_field: oracle.database_audit.database.host + ignore_missing: true + - rename: + field: oracle.database_audit.dbid + target_field: oracle.database_audit.database.id + ignore_missing: true + - rename: + field: oracle.database_audit.entry_id + target_field: oracle.database_audit.entry.id + ignore_missing: true + - convert: + field: process.pid + type: long + ignore_missing: true + - append: + field: related.user + value: "{{server.user.name}}" + allow_duplicates: false + if: ctx?.server?.user?.name != null + - append: + field: related.user + value: "{{client.user.name}}" + allow_duplicates: false + if: ctx?.client?.user?.name != null + - append: + field: related.ip + value: "{{client.ip}}" + allow_duplicates: false + if: ctx?.client?.ip != null + - append: + field: related.ip + value: "{{server.ip}}" + allow_duplicates: false + if: ctx?.server?.ip != null + - append: + field: related.hosts + value: "{{client.domain}}" + allow_duplicates: false + if: ctx?.client?.domain != null + - append: + field: related.hosts + value: "{{server.domain}}" + allow_duplicates: false + if: ctx?.server?.domain != null + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - tmp_timestamp + - audit + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.0.2/data_stream/database_audit/fields/agent.yml b/packages/oracle/1.0.2/data_stream/database_audit/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/oracle/1.0.2/data_stream/database_audit/fields/base-fields.yml b/packages/oracle/1.0.2/data_stream/database_audit/fields/base-fields.yml new file mode 100755 index 0000000000..33efa5ed0c --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. +- name: "message" + type: text + description: human-readable summary of the event +- name: event.module + type: constant_keyword + description: Event module + value: oracle +- name: event.dataset + type: constant_keyword + description: Event dataset + value: oracle.database_audit diff --git a/packages/oracle/1.0.2/data_stream/database_audit/fields/ecs.yml b/packages/oracle/1.0.2/data_stream/database_audit/fields/ecs.yml new file mode 100755 index 0000000000..cd8b075af1 --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/fields/ecs.yml @@ -0,0 +1,132 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: Array of user roles at the time of the event. + name: user.roles + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Process id. + name: process.pid + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: related log flags + name: log.flags +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/oracle/1.0.2/data_stream/database_audit/fields/fields.yml b/packages/oracle/1.0.2/data_stream/database_audit/fields/fields.yml new file mode 100755 index 0000000000..8f57baa92f --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/fields/fields.yml @@ -0,0 +1,71 @@ +- name: oracle.database_audit + type: group + description: > + Integration for parsing Oracle Database audit logs + + fields: + - name: status + type: keyword + description: > + Database Audit Status. + + - name: session_id + type: keyword + description: > + Indicates the audit session ID number. + + - name: client.terminal + type: keyword + description: > + If available, the client terminal type, for example "pty". + + - name: client.address + type: keyword + description: > + The IP Address or Domain used by the client. + + - name: client.user + type: keyword + description: > + The user running the client or connection to the database. + + - name: database.user + type: keyword + description: > + The database user used to authenticate. + + - name: privilege + type: keyword + description: > + The privilege group related to the database user. + + - name: entry.id + type: keyword + description: > + Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. + + - name: database.host + type: keyword + description: > + Client host machine name. + + - name: action + type: keyword + description: > + The action performed during the audit event. This could for example be the raw query. + + - name: action_number + type: keyword + description: > + Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. + + - name: database.id + type: keyword + description: > + Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. + + - name: length + type: long + description: > + Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. + diff --git a/packages/oracle/1.0.2/data_stream/database_audit/manifest.yml b/packages/oracle/1.0.2/data_stream/database_audit/manifest.yml new file mode 100755 index 0000000000..e5c659768f --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/manifest.yml @@ -0,0 +1,41 @@ +title: Oracle Audit Log +type: logs +streams: + - input: filestream + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /home/user/oracleauditlogs/*.aud + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - oracle-database_audit + - name: preserve_original_event + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + required: true + show_user: true + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + title: Oracle Audit Log + description: Collect Oracle audit logs diff --git a/packages/oracle/1.0.2/data_stream/database_audit/sample_event.json b/packages/oracle/1.0.2/data_stream/database_audit/sample_event.json new file mode 100755 index 0000000000..7b8c34709c --- /dev/null +++ b/packages/oracle/1.0.2/data_stream/database_audit/sample_event.json @@ -0,0 +1,109 @@ +{ + "@timestamp": "2020-10-07T14:57:51.000Z", + "agent": { + "ephemeral_id": "021be4f6-f6ea-47c5-aa38-62ba8c3f0f3c", + "id": "5940e9e3-013b-43c0-a459-261d69b08862", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "user": { + "name": "oracle" + } + }, + "data_stream": { + "dataset": "oracle.database_audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "5940e9e3-013b-43c0-a459-261d69b08862", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "database_audit", + "agent_id_status": "verified", + "category": "database", + "dataset": "oracle.database_audit", + "ingested": "2022-02-24T08:25:06Z", + "kind": "event", + "outcome": "success", + "timezone": "-04:00", + "type": "access" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.240.7" + ], + "mac": [ + "02:42:c0:a8:f0:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.60.1-microsoft-standard-WSL2", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "input": { + "type": "filestream" + }, + "log": { + "file": { + "path": "/tmp/service_logs/ORCLCDB_ora_13765_20201007105751904399925443.aud.log" + }, + "flags": [ + "multiline" + ], + "offset": 882 + }, + "oracle": { + "database_audit": { + "action": "CONNECT", + "action_number": "100", + "client": { + "terminal": "pts/0" + }, + "length": 253, + "session_id": "4294967295", + "status": "0" + } + }, + "process": { + "pid": 13765 + }, + "related": { + "hosts": [ + "testlab.local" + ], + "user": [ + "/", + "oracle" + ] + }, + "server": { + "address": "testlab.local", + "domain": "testlab.local", + "user": { + "name": "/" + } + }, + "tags": [ + "oracle-database_audit" + ], + "user": { + "roles": "SYSDBA" + } +} \ No newline at end of file diff --git a/packages/oracle/1.0.2/docs/README.md b/packages/oracle/1.0.2/docs/README.md new file mode 100755 index 0000000000..3d98318c49 --- /dev/null +++ b/packages/oracle/1.0.2/docs/README.md @@ -0,0 +1,217 @@ +# Oracle Integration + +This integration is for ingesting Audit Trail logs from Oracle Databases. + +The integration expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the [Oracle Database Audit Trail Documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF). + +## Compatibility + +This integration has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested. + +### Database Audit Log + +The `database_audit` dataset collects Oracle Audit logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.flags | related log flags | | +| log.offset | Log offset | long | +| message | human-readable summary of the event | text | +| oracle.database_audit.action | The action performed during the audit event. This could for example be the raw query. | keyword | +| oracle.database_audit.action_number | Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. | keyword | +| oracle.database_audit.client.address | The IP Address or Domain used by the client. | keyword | +| oracle.database_audit.client.terminal | If available, the client terminal type, for example "pty". | keyword | +| oracle.database_audit.client.user | The user running the client or connection to the database. | keyword | +| oracle.database_audit.database.host | Client host machine name. | keyword | +| oracle.database_audit.database.id | Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. | keyword | +| oracle.database_audit.database.user | The database user used to authenticate. | keyword | +| oracle.database_audit.entry.id | Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. | keyword | +| oracle.database_audit.length | Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. | long | +| oracle.database_audit.privilege | The privilege group related to the database user. | keyword | +| oracle.database_audit.session_id | Indicates the audit session ID number. | keyword | +| oracle.database_audit.status | Database Audit Status. | keyword | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + + +An example event for `database_audit` looks as following: + +```json +{ + "@timestamp": "2020-10-07T14:57:51.000Z", + "agent": { + "ephemeral_id": "021be4f6-f6ea-47c5-aa38-62ba8c3f0f3c", + "id": "5940e9e3-013b-43c0-a459-261d69b08862", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "user": { + "name": "oracle" + } + }, + "data_stream": { + "dataset": "oracle.database_audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "5940e9e3-013b-43c0-a459-261d69b08862", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "database_audit", + "agent_id_status": "verified", + "category": "database", + "dataset": "oracle.database_audit", + "ingested": "2022-02-24T08:25:06Z", + "kind": "event", + "outcome": "success", + "timezone": "-04:00", + "type": "access" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.240.7" + ], + "mac": [ + "02:42:c0:a8:f0:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.60.1-microsoft-standard-WSL2", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "input": { + "type": "filestream" + }, + "log": { + "file": { + "path": "/tmp/service_logs/ORCLCDB_ora_13765_20201007105751904399925443.aud.log" + }, + "flags": [ + "multiline" + ], + "offset": 882 + }, + "oracle": { + "database_audit": { + "action": "CONNECT", + "action_number": "100", + "client": { + "terminal": "pts/0" + }, + "length": 253, + "session_id": "4294967295", + "status": "0" + } + }, + "process": { + "pid": 13765 + }, + "related": { + "hosts": [ + "testlab.local" + ], + "user": [ + "/", + "oracle" + ] + }, + "server": { + "address": "testlab.local", + "domain": "testlab.local", + "user": { + "name": "/" + } + }, + "tags": [ + "oracle-database_audit" + ], + "user": { + "roles": "SYSDBA" + } +} +``` \ No newline at end of file diff --git a/packages/oracle/1.0.2/img/oracle_logo.svg b/packages/oracle/1.0.2/img/oracle_logo.svg new file mode 100755 index 0000000000..0981dfcff2 --- /dev/null +++ b/packages/oracle/1.0.2/img/oracle_logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/oracle/1.0.2/manifest.yml b/packages/oracle/1.0.2/manifest.yml new file mode 100755 index 0000000000..3c1218339f --- /dev/null +++ b/packages/oracle/1.0.2/manifest.yml @@ -0,0 +1,28 @@ +format_version: 1.0.0 +name: oracle +title: "Oracle" +version: 1.0.2 +license: basic +description: "Oracle Audit Log Integration" +type: integration +categories: + - security + - datastore +release: ga +conditions: + kibana.version: "^7.17.0 || ^8.0.0" +icons: + - src: /img/oracle_logo.svg + title: Oracle + size: 32x32 + type: image/svg+xml +policy_templates: + - name: oracle + title: Oracle Audit Logs + description: Collect Oracle audit logs + inputs: + - type: filestream + title: Collect logs from Oracle instances + description: Collecting Oracle audit logs +owner: + github: elastic/security-external-integrations diff --git a/packages/panw/2.2.2/changelog.yml b/packages/panw/2.2.2/changelog.yml new file mode 100755 index 0000000000..e8cc6db8f7 --- /dev/null +++ b/packages/panw/2.2.2/changelog.yml @@ -0,0 +1,166 @@ +# newer versions go on top +- version: "2.2.2" + changes: + - description: Fix mapping for zone breakout + type: bugfix + link: https://github.com/elastic/integrations/pull/3361 +- version: "2.2.1" + changes: + - description: Fix search terms in saved searches + type: bugfix + link: https://github.com/elastic/integrations/pull/3324 + - description: Remove invalid value in sample event and publish in documentation + type: bugfix + link: https://github.com/elastic/integrations/pull/3324 + - description: Add threat term to threat data set event.category + type: enhancement + link: https://github.com/elastic/integrations/pull/3324 +- version: "2.2.0" + changes: + - description: Replace syslog input with UDP/TCP input and syslog processor. + type: enhancement + link: https://github.com/elastic/integrations/pull/3323 +- version: "2.1.0" + changes: + - description: Add GeoIP/ASN data for `*.nat.ip` fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3293 +- version: "2.0.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3263 +- version: "1.6.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "1.5.3" + changes: + - description: Remove invalid field values + type: enhancement + link: https://github.com/elastic/integrations/pull/3094 +- version: "1.5.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.5.1" + changes: + - description: Extend and explicitly link to event streams that are handled. + type: enhancement + link: https://github.com/elastic/integrations/pull/2810 +- version: "1.5.0" + changes: + - description: Add HIP Match event handling. + type: enhancement + link: https://github.com/elastic/integrations/pull/2758 + - description: Add User ID event handling. + type: enhancement + link: https://github.com/elastic/integrations/pull/2758 + - description: Add Global Protect event handling. + type: enhancement + link: https://github.com/elastic/integrations/pull/2758 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2430 +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2221 +- version: "1.2.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2093 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1979 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1840 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1672 +- version: "1.1.3" + changes: + - description: Add time zone offset input + type: enhancement + link: https://github.com/elastic/integrations/pull/1580 +- version: "1.1.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1496 +- version: '1.1.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1408 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1221 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1221 +- version: "0.8.1" + changes: + - description: use `wildcard` field type for the relevant ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1182 +- version: "0.8.0" + changes: + - description: update to ECS 1.10.0 and add fixes to event.original + type: enhancement + link: https://github.com/elastic/integrations/pull/1093 +- version: "0.7.2" + changes: + - description: Make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/1007 +- version: "0.7.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/863 +- version: "0.7.0" + changes: + - description: Moving edge processing to ES Ingest pipelines + type: enhancement + link: https://github.com/elastic/integrations/pull/772 +- version: "0.6.1" + changes: + - description: Change kibana.version constraint to be more conservative. + type: bugfix + link: https://github.com/elastic/integrations/pull/749 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/233 diff --git a/packages/panw/2.2.2/data_stream/panos/agent/stream/logfile.yml.hbs b/packages/panw/2.2.2/data_stream/panos/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..56fdcb1726 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/agent/stream/logfile.yml.hbs @@ -0,0 +1,36 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} + {{#if internal_zones.length}} + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} + {{/if}} + {{#if external_zones.length}} + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} + {{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/panw/2.2.2/data_stream/panos/agent/stream/tcp.yml.hbs b/packages/panw/2.2.2/data_stream/panos/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..1f12e671b5 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/agent/stream/tcp.yml.hbs @@ -0,0 +1,44 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: + - add_locale: ~ + - syslog: + field: message + format: auto + timezone: {{tz_offset}} +{{#if processors}} + {{processors}} +{{/if}} +{{#if internal_zones.length}} + - add_fields: + target: _conf + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} + - add_fields: + target: _conf + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/panw/2.2.2/data_stream/panos/agent/stream/udp.yml.hbs b/packages/panw/2.2.2/data_stream/panos/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..6570359d1b --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/agent/stream/udp.yml.hbs @@ -0,0 +1,38 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - add_locale: ~ + - syslog: + field: message + format: auto + timezone: {{tz_offset}} +{{#if processors}} + {{processors}} +{{/if}} +{{#if internal_zones.length}} + - add_fields: + target: _conf + fields: + internal_zones: + {{#each internal_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} +{{#if external_zones.length}} + - add_fields: + target: _conf + fields: + external_zones: + {{#each external_zones as |zone i|}} + - {{zone}} + {{/each}} +{{/if}} diff --git a/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/default.yml b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..8d6240bb1a --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,606 @@ +--- +description: "Pipeline for Palo Alto Networks PAN-OS Logs" +processors: + - set: + field: ecs.version + value: '8.2.0' + - set: + field: observer.vendor + value: Palo Alto Networks + - set: + field: observer.product + value: PAN-OS + - set: + field: observer.type + value: firewall + + - set: + field: event.timezone + value: "{{{_conf.tz_offset}}}" + if: ctx?._conf?.tz_offset != null && ctx?._conf?.tz_offset != 'local' + +# Collects the first few parts of the message to be used for conditional parsing later + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - "^%{DATA},%{TIMESTAMP:event.created},%{FIELD:observer.serial_number},%{FIELD:panw.panos.type},(?:%{FIELD:panw.panos.sub_type})?,%{FIELD},%{TIMESTAMP:_temp_.generated_time},%{GREEDYDATA:message}$" + pattern_definitions: + TIMESTAMP: "%{PANW_DATE}|%{TIMESTAMP_ISO8601}" + PANW_DATE: "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}" + FIELD: "[^,]*" + +## TRAFFIC + - pipeline: + if: ctx?.panw?.panos?.type == "TRAFFIC" + name: '{{ IngestPipeline "traffic" }}' +## THREAT + - pipeline: + if: ctx?.panw?.panos?.type == "THREAT" + name: '{{ IngestPipeline "threat" }}' +## HIPMATCH + - pipeline: + if: 'ctx?.panw?.panos?.type == "HIPMATCH" || ctx?.panw?.panos?.type == "HIP-MATCH"' + name: '{{ IngestPipeline "hipmatch" }}' +## USER ID + - pipeline: + if: ctx?.panw?.panos?.type == "USERID" + name: '{{ IngestPipeline "userid" }}' +## GLOBAL PROTECT + - pipeline: + if: ctx?.panw?.panos?.type == "GLOBALPROTECT" + name: '{{ IngestPipeline "globalprotect" }}' + +# Set @timestamp to the time when the entry was generated at the data plane. + - date: + if: "ctx?.event?.timezone == null" + field: "_temp_.generated_time" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx?.event?.timezone != null" + field: "_temp_.generated_time" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + timezone: "{{{ event.timezone }}}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +# event.created is the time the event was received at the management plane. + - date: + if: "ctx?.event?.timezone == null && ctx?.event?.created != null" + field: "event.created" + target_field: "event.created" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx?.event?.timezone != null && ctx?.event?.created != null" + field: "event.created" + target_field: "event.created" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + timezone: "{{{ event.timezone }}}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +# convert integer fields as the output of the CSV processor is always a string. + - convert: + type: long + ignore_missing: true + field: source.bytes + - convert: + type: long + ignore_missing: true + field: source.packets + - convert: + type: long + ignore_missing: true + field: source.port + - convert: + type: long + ignore_missing: true + field: destination.bytes + - convert: + type: long + ignore_missing: true + field: destination.packets + - convert: + type: long + ignore_missing: true + field: destination.port + - convert: + type: long + ignore_missing: true + field: network.bytes + - convert: + type: long + ignore_missing: true + field: network.packets + - convert: + type: long + ignore_missing: true + field: event.duration + - convert: + type: long + ignore_missing: true + field: _temp_.labels + - convert: + type: long + ignore_missing: true + field: panw.panos.sequence_number + - convert: + type: long + ignore_missing: true + field: source.nat.port + - convert: + type: long + ignore_missing: true + field: destination.nat.port + - convert: + type: long + ignore_missing: true + field: panw.panos.repeat_count + - convert: + type: long + ignore_missing: true + field: panw.panos.scp.chunks + - convert: + type: long + ignore_missing: true + field: panw.panos.scp.chunks_sent + - convert: + type: long + ignore_missing: true + field: panw.panos.scp.chunks_received + +# Remove PCAP ID when zero (no packet capture). + - remove: + if: 'ctx?.panw?.panos?.network?.pcap_id == "0"' + field: + - panw.panos.network.pcap_id + +# Extract 'flags' bitfield into labels. + - script: + lang: painless + if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0' + params: + pcap_included: 0x80000000 + ipv6_session: 0x02000000 + ssl_decrypted: 0x01000000 + url_filter_denied: 0x00800000 + nat_translated: 0x00400000 + captive_portal: 0x00200000 + x_forwarded_for: 0x00080000 + http_proxy: 0x00040000 + container_page: 0x00008000 + temporary_match: 0x00002000 + symmetric_return: 0x00000800 + # TODO: Remove the workaround for https://github.com/elastic/kibana/issues/85486 + # that converts the param values from string to Long. + source: > + def labels = ctx?.labels; + if (labels == null) { + labels = new HashMap(); + ctx['labels'] = labels; + } + long value = ctx._temp_.labels; + for (entry in params.entrySet()) { + def flag = entry.getValue(); + if (flag instanceof String) { + flag = Long.decode(flag); + } + if ((value & flag) != 0) { + labels[entry.getKey()] = true; + } + } + +# normalize event.duration and determine event.end. + - script: + lang: painless + if: 'ctx?.event?.duration != null' + params: + NANOS_IN_A_SECOND: 1000000000 + source: > + long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; + ctx['event']['duration'] = nanos; + def start = ctx.event?.start; + if (start != null) { + ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos); + } + +# Set event.category. + - append: + field: event.type + value: allowed + if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)" + - append: + field: event.type + value: denied + if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)" + - set: + field: event.outcome + value: success + +# event.action for traffic logs. + - set: + field: event.action + value: flow_started + if: 'ctx?.panw?.panos?.sub_type == "start"' + - append: + field: event.type + value: + - start + - connection + if: 'ctx?.panw?.panos?.sub_type == "start"' + - set: + field: event.action + value: flow_terminated + if: 'ctx?.panw?.panos?.sub_type == "end"' + - append: + field: event.type + value: + - end + - connection + if: 'ctx?.panw?.panos?.sub_type == "end"' + - set: + field: event.action + value: flow_dropped + if: 'ctx?.panw?.panos?.sub_type == "drop"' + - append: + field: event.type + value: + - denied + - connection + if: 'ctx?.panw?.panos?.sub_type == "drop"' + - set: + field: event.action + value: flow_denied + if: 'ctx?.panw?.panos?.sub_type == "deny"' + - append: + field: event.type + value: + - denied + - connection + if: 'ctx?.panw?.panos?.sub_type == "deny"' + +# event.action for threat logs. + - set: + field: event.action + value: data_match + if: 'ctx?.panw?.panos?.sub_type == "data"' + - set: + field: event.action + value: file_match + if: 'ctx?.panw?.panos?.sub_type == "file"' + - set: + field: event.action + value: flood_detected + if: 'ctx?.panw?.panos?.sub_type == "flood"' + - set: + field: event.action + value: packet_attack + if: 'ctx?.panw?.panos?.sub_type == "packet"' + - set: + field: event.action + value: scan_detected + if: 'ctx?.panw?.panos?.sub_type == "scan"' + - set: + field: event.action + value: spyware_detected + if: 'ctx?.panw?.panos?.sub_type == "spyware"' + - set: + field: event.action + value: url_filtering + if: 'ctx?.panw?.panos?.sub_type == "url"' + - set: + field: event.action + value: virus_detected + if: 'ctx?.panw?.panos?.sub_type == "virus"' + - set: + field: event.action + value: exploit_detected + if: 'ctx?.panw?.panos?.sub_type == "vulnerability"' + - set: + field: event.action + value: wildfire_verdict + if: 'ctx?.panw?.panos?.sub_type == "wildfire"' + - set: + field: event.action + value: wildfire_virus_detected + if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"' + +# Set numeric log.level from event.severity. + - set: + field: "event.severity" + if: 'ctx?.log?.level == "critical"' + value: 1 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "high"' + value: 2 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "medium"' + value: 3 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "low"' + value: 4 + - set: + field: "event.severity" + if: 'ctx?.log?.level == "informational"' + value: 5 + +# Normalize event.outcome. +# These values appear in the TRAFFIC docs but look like a mistake. + - set: + field: panw.panos.action + value: 'drop-icmp' + if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"' + - set: + field: panw.panos.action + value: 'reset-both' + if: 'ctx?.panw?.panos?.action == "reset both"' + - set: + field: panw.panos.action + value: 'reset-client' + if: 'ctx?.panw?.panos?.action == "reset client"' + - set: + field: panw.panos.action + value: 'reset-server' + if: 'ctx?.panw?.panos?.action == "reset server"' + +# Set original PANW NAT fields for backwards compatibility, should be removed in 8.0 + - set: + field: panw.panos.destination.nat.ip + copy_from: destination.nat.ip + if: ctx?.destination?.nat?.ip != null + - set: + field: panw.panos.source.nat.ip + copy_from: source.nat.ip + if: ctx?.source?.nat?.ip != null + - convert: + type: long + ignore_missing: true + field: destination.nat.port + target_field: panw.panos.destination.nat.port + - convert: + type: long + ignore_missing: true + field: source.nat.port + target_field: panw.panos.source.nat.port + +# Build related.ip array from src/dest/NAT IPs. + - append: + if: 'ctx?.source?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{source.ip}}' + - append: + if: 'ctx?.destination?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{destination.ip}}' + - append: + if: 'ctx?.source?.nat?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{source.nat.ip}}' + - append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + allow_duplicates: false + value: + - '{{destination.nat.ip}}' + +# Geolocation for source. + - geoip: + if: 'ctx?.source?.ip != null' + field: source.ip + target_field: source.geo + - geoip: + if: 'ctx?.source?.nat?.ip != null && ctx.source?.geo == null' + field: source.nat.ip + target_field: source.geo + + +# Geolocation for destination. + - geoip: + if: 'ctx?.destination?.ip != null' + field: destination.ip + target_field: destination.geo + - geoip: + if: 'ctx?.destination?.nat?.ip != null && ctx.destination?.geo == null' + field: destination.nat.ip + target_field: destination.geo + + +# IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: 'ctx?.source?.nat?.ip != null && ctx.source?.as == null' + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: 'ctx?.destination?.nat?.ip != null && ctx.destination?.as == null' + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +# Set source|destination.geo.name from panw's srcloc|dstloc + - rename: + if: 'ctx.source?.geo?.name == null' + field: _temp_.srcloc + target_field: source.geo.name + ignore_missing: true + - rename: + if: 'ctx.destination?.geo?.name == null' + field: _temp_.dstloc + target_field: destination.geo.name + ignore_missing: true + - convert: + field: source.port + type: integer + if: ctx?.source?.port != null + - convert: + field: destination.port + type: integer + if: ctx?.destination?.port != null + - convert: + field: source.nat.port + type: integer + if: ctx?.source?.nat?.port != null + - convert: + field: destination.nat.port + type: integer + if: ctx?.destination?.nat?.port != null + +# Set community network ID's + - community_id: + target_field: network.community_id + if: ctx?.source?.port != null && ctx?.source?.port != 0 && ctx?.destination?.port != null && ctx?.destination?.port != 0 + - community_id: + target_field: panw.panos.network.nat.community_id + source_ip: source.nat.ip + source_port: source.nat.port + destination_ip: destination.nat.ip + destination_port: destination.nat.port + if: ctx?.source?.nat?.port != null && ctx?.source?.nat?.port != 0 && ctx?.destination?.nat?.port != null && ctx?.destination?.nat?.port != 0 + +# Append NAT community_id to network.community_id + - append: + if: 'ctx?.panw?.panos?.network?.nat?.community_id != null && ctx.panw.panos.network.nat.community_id != ctx?.network?.community_id' + field: network.community_id + value: + - '{{panw.panos.network.nat.community_id}}' + - grok: + if: 'ctx?.panw?.panos?.threat?.name != null' + field: panw.panos.threat.name + ignore_failure: true + patterns: + - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)' + - set: + field: panw.panos.threat.name + value: 'URL-filtering' + if: 'ctx?.panw?.panos?.threat?.id == "9999"' + - set: + field: rule.name + value: "{{panw.panos.ruleset}}" + ignore_empty_value: true + - append: + field: related.user + allow_duplicates: false + value: "{{client.user.name}}" + if: "ctx?.client?.user?.name != null" + - append: + field: related.user + allow_duplicates: false + value: "{{source.user.name}}" + if: "ctx?.source?.user?.name != null" + - append: + field: related.user + allow_duplicates: false + value: "{{server.user.name}}" + if: "ctx?.server?.user?.name != null" + - append: + field: related.user + allow_duplicates: false + value: "{{destination.user.name}}" + if: "ctx?.destination?.user?.name != null" + - append: + field: related.hash + allow_duplicates: false + value: "{{panw.panos.file.hash}}" + if: "ctx?.panw?.panos?.file?.hash != null" + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" + allow_duplicates: false + - append: + field: related.hosts + value: "{{host.name}}" + if: "ctx?.host?.name != null && ctx.host?.name != ''" + allow_duplicates: false +# Remove temporary fields. + - remove: + field: + - _temp_ + - _conf + ignore_missing: true +# Remove NAT fields when translation was not done. + - remove: + field: + - source.nat.ip + - source.nat.port + if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0' + - remove: + field: + - destination.nat.ip + - destination.nat.port + if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + +on_failure: + - append: + field: "error.message" + value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}" + - remove: + field: + - _temp_ + - _conf + - message + ignore_missing: true diff --git a/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/globalprotect.yml b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/globalprotect.yml new file mode 100755 index 0000000000..53d0472d94 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/globalprotect.yml @@ -0,0 +1,87 @@ +--- +description: Pipeline for PanOS Global Protect Logs +processors: + - csv: + field: message + target_fields: + - panw.panos.virtual_sys + - event.code + - panw.panos.stage + - panw.panos.auth_method + - panw.panos.tunnel_type + - _temp_.srcuser + - _temp_.srcloc + - host.name + - source.nat.ip + - _temp_.public_ipv6 + - source.ip + - _temp_.private_ipv6 + - host.id + - panw.panos.serial_number + - panw.panos.client_ver + - host.os.family + - host.os.full + - panw.panos.repeat_count + - event.reason + - panw.panos.error_message + - panw.panos.description + - event.outcome + - observer.geo.name + - event.duration + - panw.panos.connect_method + - panw.panos.error_code + - observer.hostname + - panw.panos.sequence_number + - panw.panos.action_flags + - panw.panos.selection_type + - panw.panos.response_time + - panw.panos.priority + - panw.panos.attempted_gateways + - panw.panos.gateway + + - set: + field: source.ip + value: "{{_temp_.private_ipv6}}" + if: (ctx.source?.ip == null || ctx.source?.ip == "0.0.0.0") && ctx._temp_?.private_ipv6 != null && ctx._temp_?.private_ipv6 != "0.0.0.0" + - set: + field: host.ip + value: "{{source.ip}}" + if: ctx.source?.ip != null + - set: + field: source.nat.ip + value: "{{_temp_.public_ipv6}}" + if: (ctx.source?.nat?.ip == null || ctx.source?.nat?.ip == "0.0.0.0") && ctx._temp_?.public_ipv6 != null && ctx._temp_?.public_ipv6 != "0.0.0.0" + - grok: + field: _temp_.srcuser + ignore_missing: true + patterns: + - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}' + - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}' + - '%{USERNAME:source.user.name}' + if: ctx?._temp_?.srcuser != null + - set: + field: network.type + value: 'ipv4' + if: 'ctx.network?.type == null && ctx.source?.ip != null && ctx.source.ip.contains(".")' + - set: + field: network.type + value: 'ipv6' + if: 'ctx.network?.type == null && ctx.source?.ip != null && ctx.source.ip.contains(":")' + +# Set event.category. + - set: + field: event.kind + value: event + - append: + field: event.category + value: + - network + +on_failure: + - append: + field: error.message + value: >- + error in Global Protect pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/hipmatch.yml b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/hipmatch.yml new file mode 100755 index 0000000000..3833612f18 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/hipmatch.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for PanOS HIP Match Logs +processors: + - csv: + field: message + target_fields: + - _temp_.srcuser + - panw.panos.virtual_sys + - host.name + - host.os.full + - source.ip + - panw.panos.matchname + - panw.panos.repeat_count + - panw.panos.matchtype + - _temp_.future_use3 + - _temp_.future_use4 + - panw.panos.sequence_number + - panw.panos.action_flags + - panw.panos.device_group_hierarchy1 + - panw.panos.device_group_hierarchy2 + - panw.panos.device_group_hierarchy3 + - panw.panos.device_group_hierarchy4 + - panw.panos.vsys_name + - observer.hostname + - panw.panos.vsys_id + - _temp_.source_ipv6 + - host.id + - panw.panos.serial_number + - host.mac + + - grok: + field: _temp_.srcuser + ignore_missing: true + ignore_failure: true + patterns: + - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}' + - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}' + - '%{USERNAME:source.user.name}' + if: ctx?._temp_?.srcuser != null + - set: + field: source.ip + value: "{{_temp_.source_ipv6}}" + if: ctx?._temp_?.source_ipv6 != null && ctx?._temp_?.source_ipv6 != "" && ctx?._temp_?.source_ipv6 != "0.0.0.0" + - set: + field: network.type + value: 'ipv4' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")' + - set: + field: network.type + value: 'ipv6' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")' + +# Set event.category. + - set: + field: event.kind + value: event + - append: + field: event.category + value: + - network + +on_failure: + - append: + field: error.message + value: >- + error in HIP Match pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml new file mode 100755 index 0000000000..bbd6feb43d --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml @@ -0,0 +1,108 @@ +--- +description: Pipeline for PanOS Threat Logs +processors: + - csv: + field: message + target_fields: + - source.ip + - destination.ip + - source.nat.ip + - destination.nat.ip + - panw.panos.ruleset + - source.user.name + - destination.user.name + - network.application + - panw.panos.related_vsys + - observer.ingress.zone + - observer.egress.zone + - observer.ingress.interface.name + - observer.egress.interface.name + - panw.panos.log_profile + - _temp_.future_use1 + - panw.panos.flow_id + - panw.panos.repeat_count + - source.port + - destination.port + - source.nat.port + - destination.nat.port + - _temp_.labels + - network.transport + - panw.panos.action + - url.original + - panw.panos.threat.name + - panw.panos.url.category + - log.level + - _temp_.direction + - panw.panos.sequence_number + - panw.panos.action_flags + - _temp_.srcloc + - _temp_.dstloc + - _temp_.future_use2 + - panw.panos.http_content_type + - panw.panos.network.pcap_id + - panw.panos.file.hash + - panw.panos.wildfire.name + - panw.panos.url_idx + - user_agent.original + - file.type + - network.forwarded_ip + - http.request.referer + - source.user.email + - panw.panos.subject + - destination.user.email + - panw.panos.wildfire.report_id + - panw.panos.device_group_hierarchy1 + - panw.panos.device_group_hierarchy2 + - panw.panos.device_group_hierarchy3 + - panw.panos.device_group_hierarchy4 + - panw.panos.vsys_name + - observer.hostname + - _temp_.future_use3 + - panw.panos.source_vm_uuid + - panw.panos.destination_vm_uuid + - http.request.method + - panw.panos.imsi + - panw.panos.imei + - panw.panos.parent_session.id + - panw.panos.parent_session.start_time + - panw.panos.tunnel_type + - panw.panos.threat_category + - panw.panos.content_version + - panw.panos.scp.assoc_id + - panw.panos.payload_protocol_id + - panw.panos.http_headers + + +# Set network.direction from threat direction (Threat logs). + - set: + field: network.direction + value: inbound + if: ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server" + - set: + field: network.direction + value: outbound + if: ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client" + - set: + field: network.direction + value: unknown + if: ctx?.network?.direction == null + +# Set event.category. + - set: + field: event.kind + value: alert + - append: + field: event.category + value: + - intrusion_detection + - threat + - network + +on_failure: + - append: + field: error.message + value: >- + error in Threat pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml new file mode 100755 index 0000000000..63ebd2f507 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml @@ -0,0 +1,186 @@ +--- +description: Pipeline for PanOS Traffic Logs +processors: + - csv: + field: message + target_fields: + - source.ip + - destination.ip + - source.nat.ip + - destination.nat.ip + - panw.panos.ruleset + - source.user.name + - destination.user.name + - network.application + - panw.panos.related_vsys + - observer.ingress.zone + - observer.egress.zone + - observer.ingress.interface.name + - observer.egress.interface.name + - panw.panos.log_profile + - _temp_.future_use1 + - panw.panos.flow_id + - panw.panos.repeat_count + - source.port + - destination.port + - source.nat.port + - destination.nat.port + - _temp_.labels + - network.transport + - panw.panos.action + - network.bytes + - source.bytes + - destination.bytes + - network.packets + - event.start + - event.duration + - panw.panos.url.category + - _temp_.future_use2 + - panw.panos.sequence_number + - panw.panos.action_flags + - _temp_.srcloc + - _temp_.dstloc + - _temp_.future_use3 + - source.packets + - destination.packets + - panw.panos.endreason + - panw.panos.device_group_hierarchy1 + - panw.panos.device_group_hierarchy2 + - panw.panos.device_group_hierarchy3 + - panw.panos.device_group_hierarchy4 + - panw.panos.vsys_name + - observer.hostname + - panw.panos.action_source + - panw.panos.source_vm_uuid + - panw.panos.destination_vm_uuid + - panw.panos.imsi + - panw.panos.imei + - panw.panos.parent_session.id + - panw.panos.parent_session.start_time + - panw.panos.tunnel_type + - panw.panos.scp.assoc_id + - panw.panos.scp.chunks + - panw.panos.scp.chunks_sent + - panw.panos.scp.chunks_received + +# Set network.direction using src/dst zone (traffic logs). + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) && + !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone) + ) + ) + +# Set network.type. + - set: + field: network.type + value: 'ipv4' + if: ctx?.labels?.ipv6_session == null + - set: + field: network.type + value: 'ipv6' + if: ctx?.labels?.ipv6_session != null + +# Set event.category. + - set: + field: event.kind + value: event + - append: + field: event.category + value: + - network + +# event.start is the time the session started. + - date: + if: "ctx?.event?.timezone == null && ctx?.event?.start != null" + field: "event.start" + target_field: "event.start" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx?.event?.timezone != null && ctx?.event?.start != null" + field: "event.start" + target_field: "event.start" + timezone: "{{{ event.timezone }}}" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +# Time the parent_session of the tunnel started. + - date: + if: "ctx?.event?.timezone == null && ctx?.panw?.panos?.parent_session?.start_time != null" + field: "panw.panos.parent_session.start_time" + target_field: "panw.panos.parent_session.start_time" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx?.event?.timezone != null && ctx?.panw?.panos?.parent_session?.start_time != null" + field: "panw.panos.parent_session.start_time" + target_field: "panw.panos.parent_session.start_time" + timezone: "{{{ event.timezone }}}" + formats: + - "yyyy/MM/dd HH:mm:ss" + - "strict_date_optional_time_nanos" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +on_failure: + - append: + field: error.message + value: >- + error in Traffic pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/userid.yml b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/userid.yml new file mode 100755 index 0000000000..078c7002df --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/elasticsearch/ingest_pipeline/userid.yml @@ -0,0 +1,83 @@ +--- +description: Pipeline for PanOS User ID Logs +processors: + - csv: + field: message + target_fields: + - panw.panos.virtual_sys + - source.ip + - _temp_.srcuser + - panw.panos.datasourcename + - event.code + - panw.panos.repeat_count + - panw.panos.timeout + - source.port + - destination.port + - panw.panos.datasource + - panw.panos.datasourcetype + - panw.panos.sequence_number + - panw.panos.action_flags + - panw.panos.device_group_hierarchy1 + - panw.panos.device_group_hierarchy2 + - panw.panos.device_group_hierarchy3 + - panw.panos.device_group_hierarchy4 + - panw.panos.vsys_name + - observer.hostname + - panw.panos.vsys_id + - panw.panos.factortype + - panw.panos.factorcompletiontime + - panw.panos.factorno + - panw.panos.ugflags + - source.user.name + + - grok: + field: _temp_.srcuser + ignore_missing: true + ignore_failure: true + patterns: + - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}' + - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}' + - '%{USERNAME:source.user.name}' + if: ctx?._temp_?.srcuser != null + - set: + field: network.type + value: 'ipv4' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")' + - set: + field: network.type + value: 'ipv6' + if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")' + - date: + if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone == null" + field: "panw.panos.factorcompletiontime" + target_field: "panw.panos.factorcompletiontime" + formats: + - "yyyy/MM/dd HH:mm:ss" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + - date: + if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone != null" + field: "panw.panos.factorcompletiontime" + target_field: "panw.panos.factorcompletiontime" + formats: + - "yyyy/MM/dd HH:mm:ss" + timezone: "{{{ event.timezone }}}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +# Set event.category. + - set: + field: event.kind + value: event + - append: + field: event.category + value: + - network + - iam + +on_failure: + - append: + field: error.message + value: >- + error in User ID pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/packages/panw/2.2.2/data_stream/panos/fields/agent.yml b/packages/panw/2.2.2/data_stream/panos/fields/agent.yml new file mode 100755 index 0000000000..79a7a39864 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/fields/agent.yml @@ -0,0 +1,180 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/panw/2.2.2/data_stream/panos/fields/base-fields.yml b/packages/panw/2.2.2/data_stream/panos/fields/base-fields.yml new file mode 100755 index 0000000000..fd2e344778 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: panw +- name: event.dataset + type: constant_keyword + description: Event dataset + value: panw.panos +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/panw/2.2.2/data_stream/panos/fields/beats.yml b/packages/panw/2.2.2/data_stream/panos/fields/beats.yml new file mode 100755 index 0000000000..f69a96ea42 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/fields/beats.yml @@ -0,0 +1,33 @@ +- description: Type of Filebeat input. + name: input.type + type: keyword +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset + type: long +- description: Path to the log file. + name: log.file.path + type: keyword +- description: Source address from which the log event was read / sent from. + name: log.source.address + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referer + type: keyword +- description: Syslog numeric facility of the event. + name: syslog.facility + type: long +- description: Syslog text-based facility of the event. + name: syslog.facility_label + type: keyword +- description: Syslog priority of the event. + name: syslog.priority + type: long +- description: Syslog text-based severity of the event. + name: syslog.severity_label + type: keyword +- description: Name of host parsed from syslog message. + name: hostname + type: keyword diff --git a/packages/panw/2.2.2/data_stream/panos/fields/ecs.yml b/packages/panw/2.2.2/data_stream/panos/fields/ecs.yml new file mode 100755 index 0000000000..91c2f6cc2a --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/fields/ecs.yml @@ -0,0 +1,446 @@ +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + Translated IP of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.port + type: long +- description: Packets sent from the client to the server. + name: client.packets + type: long +- description: Port of the client. + name: client.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: Unique container id. + name: container.id + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: User email address. + name: destination.user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. + name: log.syslog.hostname + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. + name: log.syslog.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.ip + type: ip +- description: |- + Translated port of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.port + type: long +- description: Packets sent from the server to the client. + name: server.packets + type: long +- description: Port of the server. + name: server.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: User email address. + name: source.user.email + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/panw/2.2.2/data_stream/panos/fields/fields.yml b/packages/panw/2.2.2/data_stream/panos/fields/fields.yml new file mode 100755 index 0000000000..3625a11874 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/fields/fields.yml @@ -0,0 +1,356 @@ +- name: panw.panos + type: group + fields: + - name: ruleset + type: keyword + description: | + Name of the rule that matched this session. + - name: source + type: group + fields: + - name: zone + type: keyword + description: | + Source zone for this session. + - name: interface + type: keyword + description: | + Source interface for this session. + - name: nat + type: group + fields: + - name: ip + type: ip + description: | + Post-NAT source IP. + - name: port + type: long + description: | + Post-NAT source port. + - name: destination + type: group + fields: + - name: zone + type: keyword + description: | + Destination zone for this session. + - name: interface + type: keyword + description: | + Destination interface for this session. + - name: nat + type: group + fields: + - name: ip + type: ip + description: | + Post-NAT destination IP. + - name: port + type: long + description: | + Post-NAT destination port. + - name: endreason + type: keyword + description: | + The reason a session terminated. + - name: network + type: group + fields: + - name: pcap_id + type: keyword + description: | + Packet capture ID for a threat. + - name: nat + type: group + fields: + - name: community_id + type: keyword + description: | + Community ID flow-hash for the NAT 5-tuple. + - name: file + type: group + fields: + - name: hash + type: keyword + description: | + Binary hash for a threat file sent to be analyzed by the WildFire service. + - name: url + type: group + fields: + - name: category + type: keyword + description: | + For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + - name: flow_id + type: keyword + description: | + Internal numeric identifier for each session. + - name: sequence_number + type: long + description: | + Log entry identifier that is incremented sequentially. Unique for each log type. + - name: threat.resource + type: keyword + description: | + URL or file name for a threat. + - name: threat.id + type: keyword + description: | + Palo Alto Networks identifier for the threat. + - name: threat.name + type: keyword + description: | + Palo Alto Networks name for the threat. + - name: action + type: keyword + description: | + Action taken for the session. + - name: type + type: keyword + description: | + Specifies the type of the log. + - name: sub_type + type: keyword + description: | + Specifies the sub type of the log. + - name: related_vsys + type: keyword + description: | + Virtual System associated with the session. + - name: vsys_name + type: keyword + description: | + The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. + - name: log_profile + type: keyword + description: | + Log Forwarding Profile that was applied to the session. + - name: repeat_count + type: long + description: | + Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. + - name: action_flags + type: keyword + description: | + 32-bit field that provides details on session, details about specific values is found in the Palo Alto Traffic Field documentation. + - name: action_source + type: keyword + description: | + Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session. + - name: source_vm_uuid + type: keyword + description: | + Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. + - name: destination_vm_uuid + type: keyword + description: | + Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. + - name: imsi + type: keyword + description: | + International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system + - name: imei + type: keyword + description: | + International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment. + - name: http_content_type + type: keyword + description: | + Content type of the HTTP response data + - name: content_version + type: keyword + description: | + Applications and Threats version on your firewall when the log was generated. + - name: threat_category + type: keyword + description: | + Describes threat categories used to classify different types of threat signatures. + - name: payload_protocol_id + type: keyword + description: | + ID of the protocol for the payload in the data portion of the data chunk. + - name: http_headers + type: keyword + description: | + Indicates the inserted HTTP header in the URL log entries on the firewall. + - name: wildfire_name + type: keyword + description: | + Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis. + - name: url_idx + type: keyword + description: | + When an application uses TCP keepalives to keep a connection open for a length of time, all the log entries for that session have a single session ID. In such cases, when you have a single threat log (and session ID) that includes multiple URL entries, the url_idx is a counter that allows you to correlate the order of each log entry within the single session. + - name: wildfire + type: group + fields: + - name: name + type: keyword + description: | + Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis. + - name: report_id + type: keyword + description: | + Identifies the analysis request on the WildFire cloud or the WildFire appliance. + - name: parent_session + type: group + fields: + - name: id + type: keyword + description: | + ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only. + - name: start_time + type: date + description: | + Date that the parent tunnel session began. + - name: tunnel_type + type: keyword + description: | + Type of tunnel, such as GRE or IPSec. + - name: device_group_hierarchy1 + type: keyword + description: | + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + - name: device_group_hierarchy2 + type: keyword + description: | + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + - name: device_group_hierarchy3 + type: keyword + description: | + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + - name: device_group_hierarchy4 + type: keyword + description: | + A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. + - name: scp + type: group + fields: + - name: assoc_id + type: keyword + description: | + Number that identifies all connections for an association between two SCTP endpoints. + - name: chunks + type: long + description: | + Sum of SCTP chunks sent and received for an association. + - name: chunks_sent + type: long + description: | + Number of SCTP chunks sent for an association. + - name: chunks_received + type: long + description: | + Number of SCTP chunks received for an association. + - name: matchname + type: keyword + description: | + Name of the HIP object or profile. + - name: matchtype + type: keyword + description: | + Whether the document represents a HIP object or a HIP profile. + - name: serial_number + type: keyword + description: | + The serial number of the user’s machine or device. + - name: vsys_id + type: keyword + description: | + A unique identifier for a virtual system on a Palo Alto Networks firewall. + - name: virtual_sys + type: keyword + description: | + Virtual System associated with the HIP match log. + - name: timeout + type: integer + description: | + Timeout after which the IP/User Mappings are cleared. + - name: datasource + type: keyword + description: | + Source from which mapping information is collected. + - name: datasourcetype + type: keyword + description: | + Mechanism used to identify the IP/User mappings within a data source. + - name: datasourcename + type: keyword + description: | + User-ID source that sends the IP (Port)-User Mapping. + - name: factorno + type: integer + description: | + Indicates the use of primary authentication (1) or additional factors (2, 3). + - name: factortype + type: keyword + description: | + Vendor used to authenticate a user when Multi Factor authentication is present. + - name: factorcompletiontime + type: date + description: | + Time the authentication was completed. + - name: ugflags + type: keyword + description: | + Displays whether the user group that was found during user group mapping. Supported values are: + User Group Found—Indicates whether the user could be mapped to a group. + Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. + - name: priority + type: keyword + description: | + The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect. + - name: attempted_gateways + type: keyword + description: | + The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority + - name: selection_type + type: keyword + description: | + The connection method that is selected to connect to the gateway. + - name: auth_method + type: keyword + description: | + A string showing the authentication type. + - name: error_code + type: integer + description: | + An integer associated with any errors that occurred. + - name: description + type: keyword + description: | + Additional information for any event that has occurred. + - name: client_ver + type: keyword + description: | + The client’s GlobalProtect app version. + - name: stage + type: keyword + description: | + A string showing the stage of the connection. + - name: connect_method + type: keyword + description: | + A string showing the how the GlobalProtect app connects to Gateway. +- name: labels.pcap_included + type: boolean +- name: labels.ipv6_session + type: boolean +- name: labels.ssl_decrypted + type: boolean +- name: labels.url_filter_denied + type: boolean +- name: labels.nat_translated + type: boolean +- name: labels.captive_portal + type: boolean +- name: labels.x_forwarded_for + type: boolean +- name: labels.http_proxy + type: boolean +- name: labels.container_page + type: boolean +- name: labels.temporary_match + type: boolean +- name: labels.symmetric_return + type: boolean diff --git a/packages/panw/2.2.2/data_stream/panos/manifest.yml b/packages/panw/2.2.2/data_stream/panos/manifest.yml new file mode 100755 index 0000000000..0b47e523e8 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/manifest.yml @@ -0,0 +1,239 @@ +type: logs +title: Palo Alto Networks PAN-OS firewall logs +streams: + - input: tcp + title: "Collect logs via syslog over TCP" + description: "Collecting firewall logs from PAN-OS instances (input: tcp)" + template_path: tcp.yml.hbs + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9001 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - panw-panos + - forwarded + - name: internal_zones + type: text + title: Internal Zones + multi: true + required: false + show_user: false + default: + - trust + - name: external_zones + type: text + title: External Zones + multi: true + required: false + show_user: false + default: + - untrust + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Time Zone Offset + multi: false + required: true + show_user: true + default: Local + description: >- + By default, datetimes in the logs without a time zone will be interpreted as relative to the time zone configured in the host where the agent is running. If ingesting logs from a different time zone, use this field to set the time zone offset so that datetimes are correctly parsed. Acceptable time zone formats are: local time (Local), a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - input: udp + title: "Collect logs via syslog over UDP" + description: "Collecting firewall logs from PAN-OS instances (input: udp)" + template_path: udp.yml.hbs + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9001 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - panw-panos + - forwarded + - name: internal_zones + type: text + title: Internal Zones + multi: true + required: false + show_user: false + default: + - trust + - name: external_zones + type: text + title: External Zones + multi: true + required: false + show_user: false + default: + - untrust + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Time Zone Offset + multi: false + required: true + show_user: true + default: Local + description: >- + By default, datetimes in the logs without a time zone will be interpreted as relative to the time zone configured in the host where the agent is running. If ingesting logs from a different time zone, use this field to set the time zone offset so that datetimes are correctly parsed. Acceptable time zone formats are: local time (Local), a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + vars: + - name: tz_offset + type: text + title: Time Zone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs without a time zone will be interpreted as relative to the time zone configured in the host where the agent is running. If ingesting logs from a different time zone, use this field to set the time zone offset so that datetimes are correctly parsed. Acceptable time zone formats are: local time (Local), a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - panw-panos + - forwarded + - name: internal_zones + type: text + title: Internal Zones + multi: true + required: false + show_user: false + default: + - trust + - name: external_zones + type: text + title: External Zones + multi: true + required: false + show_user: false + default: + - untrust + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: logfile.yml.hbs + title: Log files + description: Collect logs via log file diff --git a/packages/panw/2.2.2/data_stream/panos/sample_event.json b/packages/panw/2.2.2/data_stream/panos/sample_event.json new file mode 100755 index 0000000000..138a503b60 --- /dev/null +++ b/packages/panw/2.2.2/data_stream/panos/sample_event.json @@ -0,0 +1,192 @@ +{ + "@timestamp": "2018-11-30T16:09:07.000Z", + "agent": { + "ephemeral_id": "ff87971e-45e3-4ef8-8517-bd986fd8e553", + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "panw.panos", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 5976, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "packets": 20, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "flow_terminated", + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2018-11-30T16:09:07.000Z", + "dataset": "panw.panos", + "duration": 586000000000, + "end": "2018-11-30T16:08:50.000Z", + "ingested": "2022-05-15T06:01:30Z", + "kind": "event", + "outcome": "success", + "start": "2018-11-30T15:59:04.000Z", + "timezone": "+00:00", + "type": [ + "allowed", + "end", + "connection" + ] + }, + "hostname": "PA-220", + "input": { + "type": "syslog" + }, + "labels": { + "nat_translated": true + }, + "log": { + "source": { + "address": "192.168.208.4:47747" + } + }, + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network": { + "application": "apple-maps", + "bytes": 7734, + "community_id": [ + "1:La5Jgm/PJBlaHF8BtgJSyZEmW9E=", + "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" + ], + "packets": 36, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "allow", + "action_flags": "0x0", + "action_source": "from-policy", + "destination": { + "nat": { + "ip": "175.16.199.1", + "port": 443 + } + }, + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "endreason": "tcp-fin", + "flow_id": "22751", + "imsi": "0", + "log_profile": "send_to_mac", + "network": { + "nat": { + "community_id": "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" + } + }, + "parent_session": { + "id": "0" + }, + "related_vsys": "vsys1", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "scp": { + "assoc_id": "0", + "chunks": 0, + "chunks_received": 0, + "chunks_sent": 0 + }, + "sequence_number": 32091112, + "source": { + "nat": { + "ip": "192.168.1.63", + "port": 16418 + } + }, + "sub_type": "end", + "tunnel_type": "N/A", + "type": "TRAFFIC", + "url": { + "category": "computer-and-internet-info" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.207", + "175.16.199.1", + "192.168.1.63" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "bytes": 1758, + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.207", + "nat": { + "ip": "192.168.1.63", + "port": 16418 + }, + "packets": 16, + "port": 55113 + }, + "syslog": {}, + "tags": [ + "panw-panos", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/panw/2.2.2/docs/README.md b/packages/panw/2.2.2/docs/README.md new file mode 100755 index 0000000000..e74f591906 --- /dev/null +++ b/packages/panw/2.2.2/docs/README.md @@ -0,0 +1,458 @@ +# Palo Alto Network Integration + +This integration is for Palo Alto Networks PAN-OS firewall monitoring logs received over Syslog or read from a file. It currently supports messages of [GlobalProtect](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html), [HIP Match](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields.html), [Threat](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html), [Traffic](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html) and [User-ID](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields.html) types. + +## Compatibility + +This module has been tested with logs generated by devices running PAN-OS versions 7.1 to 9.0 but limited compatibility is expected for earlier versions. + +The ingest-geoip Elasticsearch plugin is required to run this module. + +## Logs + +### PAN-OS + +An example event for `panos` looks as following: + +```json +{ + "@timestamp": "2018-11-30T16:09:07.000Z", + "agent": { + "ephemeral_id": "ff87971e-45e3-4ef8-8517-bd986fd8e553", + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "panw.panos", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 5976, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "packets": 20, + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "69c5b3bb-a0c8-407c-9f6f-166c94a2d63f", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "flow_terminated", + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2018-11-30T16:09:07.000Z", + "dataset": "panw.panos", + "duration": 586000000000, + "end": "2018-11-30T16:08:50.000Z", + "ingested": "2022-05-15T06:01:30Z", + "kind": "event", + "outcome": "success", + "start": "2018-11-30T15:59:04.000Z", + "timezone": "+00:00", + "type": [ + "allowed", + "end", + "connection" + ] + }, + "hostname": "PA-220", + "input": { + "type": "syslog" + }, + "labels": { + "nat_translated": true + }, + "log": { + "source": { + "address": "192.168.208.4:47747" + } + }, + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network": { + "application": "apple-maps", + "bytes": 7734, + "community_id": [ + "1:La5Jgm/PJBlaHF8BtgJSyZEmW9E=", + "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" + ], + "packets": 36, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "allow", + "action_flags": "0x0", + "action_source": "from-policy", + "destination": { + "nat": { + "ip": "175.16.199.1", + "port": 443 + } + }, + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "endreason": "tcp-fin", + "flow_id": "22751", + "imsi": "0", + "log_profile": "send_to_mac", + "network": { + "nat": { + "community_id": "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" + } + }, + "parent_session": { + "id": "0" + }, + "related_vsys": "vsys1", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "scp": { + "assoc_id": "0", + "chunks": 0, + "chunks_received": 0, + "chunks_sent": 0 + }, + "sequence_number": 32091112, + "source": { + "nat": { + "ip": "192.168.1.63", + "port": 16418 + } + }, + "sub_type": "end", + "tunnel_type": "N/A", + "type": "TRAFFIC", + "url": { + "category": "computer-and-internet-info" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.207", + "175.16.199.1", + "192.168.1.63" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "bytes": 1758, + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.207", + "nat": { + "ip": "192.168.1.63", + "port": 16418 + }, + "packets": 16, + "port": 55113 + }, + "syslog": {}, + "tags": [ + "panw-panos", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.bytes | Bytes sent from the client to the server. | long | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | +| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | +| client.packets | Packets sent from the client to the server. | long | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.email | User email address. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.type | File type (file, dir, or symlink). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| hostname | Name of host parsed from syslog message. | keyword | +| http.request.referer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| labels.captive_portal | | boolean | +| labels.container_page | | boolean | +| labels.http_proxy | | boolean | +| labels.ipv6_session | | boolean | +| labels.nat_translated | | boolean | +| labels.pcap_included | | boolean | +| labels.ssl_decrypted | | boolean | +| labels.symmetric_return | | boolean | +| labels.temporary_match | | boolean | +| labels.url_filter_denied | | boolean | +| labels.x_forwarded_for | | boolean | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| panw.panos.action | Action taken for the session. | keyword | +| panw.panos.action_flags | 32-bit field that provides details on session, details about specific values is found in the Palo Alto Traffic Field documentation. | keyword | +| panw.panos.action_source | Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session. | keyword | +| panw.panos.attempted_gateways | The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority | keyword | +| panw.panos.auth_method | A string showing the authentication type. | keyword | +| panw.panos.client_ver | The client’s GlobalProtect app version. | keyword | +| panw.panos.connect_method | A string showing the how the GlobalProtect app connects to Gateway. | keyword | +| panw.panos.content_version | Applications and Threats version on your firewall when the log was generated. | keyword | +| panw.panos.datasource | Source from which mapping information is collected. | keyword | +| panw.panos.datasourcename | User-ID source that sends the IP (Port)-User Mapping. | keyword | +| panw.panos.datasourcetype | Mechanism used to identify the IP/User mappings within a data source. | keyword | +| panw.panos.description | Additional information for any event that has occurred. | keyword | +| panw.panos.destination.interface | Destination interface for this session. | keyword | +| panw.panos.destination.nat.ip | Post-NAT destination IP. | ip | +| panw.panos.destination.nat.port | Post-NAT destination port. | long | +| panw.panos.destination.zone | Destination zone for this session. | keyword | +| panw.panos.destination_vm_uuid | Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. | keyword | +| panw.panos.device_group_hierarchy1 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword | +| panw.panos.device_group_hierarchy2 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword | +| panw.panos.device_group_hierarchy3 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword | +| panw.panos.device_group_hierarchy4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword | +| panw.panos.endreason | The reason a session terminated. | keyword | +| panw.panos.error_code | An integer associated with any errors that occurred. | integer | +| panw.panos.factorcompletiontime | Time the authentication was completed. | date | +| panw.panos.factorno | Indicates the use of primary authentication (1) or additional factors (2, 3). | integer | +| panw.panos.factortype | Vendor used to authenticate a user when Multi Factor authentication is present. | keyword | +| panw.panos.file.hash | Binary hash for a threat file sent to be analyzed by the WildFire service. | keyword | +| panw.panos.flow_id | Internal numeric identifier for each session. | keyword | +| panw.panos.http_content_type | Content type of the HTTP response data | keyword | +| panw.panos.http_headers | Indicates the inserted HTTP header in the URL log entries on the firewall. | keyword | +| panw.panos.imei | International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment. | keyword | +| panw.panos.imsi | International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system | keyword | +| panw.panos.log_profile | Log Forwarding Profile that was applied to the session. | keyword | +| panw.panos.matchname | Name of the HIP object or profile. | keyword | +| panw.panos.matchtype | Whether the document represents a HIP object or a HIP profile. | keyword | +| panw.panos.network.nat.community_id | Community ID flow-hash for the NAT 5-tuple. | keyword | +| panw.panos.network.pcap_id | Packet capture ID for a threat. | keyword | +| panw.panos.parent_session.id | ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only. | keyword | +| panw.panos.parent_session.start_time | Date that the parent tunnel session began. | date | +| panw.panos.payload_protocol_id | ID of the protocol for the payload in the data portion of the data chunk. | keyword | +| panw.panos.priority | The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect. | keyword | +| panw.panos.related_vsys | Virtual System associated with the session. | keyword | +| panw.panos.repeat_count | Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. | long | +| panw.panos.ruleset | Name of the rule that matched this session. | keyword | +| panw.panos.scp.assoc_id | Number that identifies all connections for an association between two SCTP endpoints. | keyword | +| panw.panos.scp.chunks | Sum of SCTP chunks sent and received for an association. | long | +| panw.panos.scp.chunks_received | Number of SCTP chunks received for an association. | long | +| panw.panos.scp.chunks_sent | Number of SCTP chunks sent for an association. | long | +| panw.panos.selection_type | The connection method that is selected to connect to the gateway. | keyword | +| panw.panos.sequence_number | Log entry identifier that is incremented sequentially. Unique for each log type. | long | +| panw.panos.serial_number | The serial number of the user’s machine or device. | keyword | +| panw.panos.source.interface | Source interface for this session. | keyword | +| panw.panos.source.nat.ip | Post-NAT source IP. | ip | +| panw.panos.source.nat.port | Post-NAT source port. | long | +| panw.panos.source.zone | Source zone for this session. | keyword | +| panw.panos.source_vm_uuid | Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. | keyword | +| panw.panos.stage | A string showing the stage of the connection. | keyword | +| panw.panos.sub_type | Specifies the sub type of the log. | keyword | +| panw.panos.threat.id | Palo Alto Networks identifier for the threat. | keyword | +| panw.panos.threat.name | Palo Alto Networks name for the threat. | keyword | +| panw.panos.threat.resource | URL or file name for a threat. | keyword | +| panw.panos.threat_category | Describes threat categories used to classify different types of threat signatures. | keyword | +| panw.panos.timeout | Timeout after which the IP/User Mappings are cleared. | integer | +| panw.panos.tunnel_type | Type of tunnel, such as GRE or IPSec. | keyword | +| panw.panos.type | Specifies the type of the log. | keyword | +| panw.panos.ugflags | Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. | keyword | +| panw.panos.url.category | For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. | keyword | +| panw.panos.url_idx | When an application uses TCP keepalives to keep a connection open for a length of time, all the log entries for that session have a single session ID. In such cases, when you have a single threat log (and session ID) that includes multiple URL entries, the url_idx is a counter that allows you to correlate the order of each log entry within the single session. | keyword | +| panw.panos.virtual_sys | Virtual System associated with the HIP match log. | keyword | +| panw.panos.vsys_id | A unique identifier for a virtual system on a Palo Alto Networks firewall. | keyword | +| panw.panos.vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | keyword | +| panw.panos.wildfire.name | Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis. | keyword | +| panw.panos.wildfire.report_id | Identifies the analysis request on the WildFire cloud or the WildFire appliance. | keyword | +| panw.panos.wildfire_name | Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | +| server.packets | Packets sent from the server to the client. | long | +| server.port | Port of the server. | long | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| syslog.facility | Syslog numeric facility of the event. | long | +| syslog.facility_label | Syslog text-based facility of the event. | keyword | +| syslog.priority | Syslog priority of the event. | long | +| syslog.severity_label | Syslog text-based severity of the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/panw/2.2.2/img/filebeat-panw-threat.png b/packages/panw/2.2.2/img/filebeat-panw-threat.png new file mode 100755 index 0000000000..46959b21a7 Binary files /dev/null and b/packages/panw/2.2.2/img/filebeat-panw-threat.png differ diff --git a/packages/panw/2.2.2/img/filebeat-panw-traffic.png b/packages/panw/2.2.2/img/filebeat-panw-traffic.png new file mode 100755 index 0000000000..ef9d5f706e Binary files /dev/null and b/packages/panw/2.2.2/img/filebeat-panw-traffic.png differ diff --git a/packages/panw/2.2.2/img/logo-integrations-paloalto-networks.svg b/packages/panw/2.2.2/img/logo-integrations-paloalto-networks.svg new file mode 100755 index 0000000000..8c8e71ae0d --- /dev/null +++ b/packages/panw/2.2.2/img/logo-integrations-paloalto-networks.svg @@ -0,0 +1,29 @@ + + + logo-integrations-Desktop HD + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/dashboard/panw-772964e0-7591-11e9-aacf-79a3704914a0.json b/packages/panw/2.2.2/kibana/dashboard/panw-772964e0-7591-11e9-aacf-79a3704914a0.json new file mode 100755 index 0000000000..5f414f2c23 --- /dev/null +++ b/packages/panw/2.2.2/kibana/dashboard/panw-772964e0-7591-11e9-aacf-79a3704914a0.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "Palo Alto Networks PAN-OS Threats Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":31,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"title\":\"Threat outcome histogram\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"title\":\"Top threats by name\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"title\":\"Top threats by resource\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"title\":\"Top attackers (clients)\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"title\":\"Top attackers (servers)\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"title\":\"Outcome by threat type\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs PANW] Threats Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-772964e0-7591-11e9-aacf-79a3704914a0", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "panw-3eca1070-7589-11e9-aacf-79a3704914a0", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "panw-90ce3300-758a-11e9-aacf-79a3704914a0", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "panw-a95aaf20-758a-11e9-aacf-79a3704914a0", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "panw-6dce7930-758c-11e9-aacf-79a3704914a0", + "name": "6:panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/dashboard/panw-e40ba240-7572-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/dashboard/panw-e40ba240-7572-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..2f88ac80b3 --- /dev/null +++ b/packages/panw/2.2.2/kibana/dashboard/panw-e40ba240-7572-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "Palo Alto Networks PAN-OS Networks Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"f1552cbe-a7ee-44aa-8267-84a5becc47b0\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"e05f7ca1-ad23-44f5-ba1e-fd4593862f64\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Source Flows Map [Logs PANW]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"1a4eafd8-1bc1-42c8-9679-cffe5c9f7d81\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Source Flows Map [Logs PANW]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"c31e5ac3-5063-4124-9a6f-b01af9e160b4\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c31e5ac3-5063-4124-9a6f-b01af9e160b4\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"b690c8fa-43ee-4991-9db5-9ea7243272d1\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"4fafc878-ca54-4363-9bd9-7b9af45ee80a\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Destination Flows Map [Logs PANW]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"846dde31-2090-4d3b-85d4-8a6e3bee3ec7\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Flows Map [Logs PANW]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"2b2d20f7-1d92-47e1-b44d-223c78a812a2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2b2d20f7-1d92-47e1-b44d-223c78a812a2\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "[Logs PANW] Network Flows", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-e40ba240-7572-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "panw-78e7e820-756d-11e9-976e-65a8f47cc4c1", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "panw-d9cab170-756f-11e9-976e-65a8f47cc4c1", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "panw-135930b0-7570-11e9-976e-65a8f47cc4c1", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "panw-e46331c0-756a-11e9-976e-65a8f47cc4c1", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "c31e5ac3-5063-4124-9a6f-b01af9e160b4:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2b2d20f7-1d92-47e1-b44d-223c78a812a2:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..c08f6d087c --- /dev/null +++ b/packages/panw/2.2.2/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"panw.panos\\\" and panw.panos.type: \\\"TRAFFIC\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "PAN-OS Flows [Logs PANW]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..846fb7a7f9 --- /dev/null +++ b/packages/panw/2.2.2/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"panw.panos\\\" and event.category: \\\"threat\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "PAN-OS Threats [Logs PANW]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..be4bab5c29 --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Network Application breakout [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.application\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Application breakout [Logs PANW]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-091fe860-756a-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-091fe860-756a-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..a7f340853b --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-091fe860-756a-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Flows Map [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"title\":\"Destination Flows Map [Logs PANW]\",\"type\":\"tile_map\"}" + }, + "id": "panw-091fe860-756a-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..7016404bd6 --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Threat outcome histogram [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2018-04-10T04:36:19.586Z\",\"to\":\"2018-04-10T04:39:56.264Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Threat outcome histogram [Logs PANW]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-135930b0-7570-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-135930b0-7570-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..bf27c0cd11 --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-135930b0-7570-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":true,\"params\":{\"query\":\"flow_started\"},\"type\":\"phrase\",\"value\":\"flow_started\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"flow_started\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Zone breakout [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"observer.egress.zone\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Zone breakout [Logs PANW]\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-135930b0-7570-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-3eca1070-7589-11e9-aacf-79a3704914a0.json b/packages/panw/2.2.2/kibana/visualization/panw-3eca1070-7589-11e9-aacf-79a3704914a0.json new file mode 100755 index 0000000000..0c708ee94e --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-3eca1070-7589-11e9-aacf-79a3704914a0.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Threat ID Cloud [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"panw.panos.threat.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Threat ID Cloud [Logs PANW]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-3eca1070-7589-11e9-aacf-79a3704914a0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..5728ee6fb5 --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Threat Resource Cloud [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Threat Resource Cloud [Logs PANW]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-6dce7930-758c-11e9-aacf-79a3704914a0.json b/packages/panw/2.2.2/kibana/visualization/panw-6dce7930-758c-11e9-aacf-79a3704914a0.json new file mode 100755 index 0000000000..d2459f922b --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-6dce7930-758c-11e9-aacf-79a3704914a0.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Outcome by Threat Type [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Outcome by Threat Type [Logs PANW]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-6dce7930-758c-11e9-aacf-79a3704914a0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-78e7e820-756d-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-78e7e820-756d-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..870ce3511a --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-78e7e820-756d-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":true,\"params\":{\"query\":\"flow_terminated\"},\"type\":\"phrase\",\"value\":\"flow_terminated\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"flow_terminated\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Flow Creation Histogram [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2018-04-10T04:36:19.586Z\",\"to\":\"2018-04-10T04:39:56.264Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Flow Creation Histogram [Logs PANW]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-78e7e820-756d-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-87f30f60-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-87f30f60-7569-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..5949ed514b --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-87f30f60-7569-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Source Flows Map [Logs PANW]", + "uiStateJSON": "{\"mapCenter\":[-0.17578097424708533,0.17578125],\"mapZoom\":1}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"title\":\"Source Flows Map [Logs PANW]\",\"type\":\"tile_map\"}" + }, + "id": "panw-87f30f60-7569-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-90ce3300-758a-11e9-aacf-79a3704914a0.json b/packages/panw/2.2.2/kibana/visualization/panw-90ce3300-758a-11e9-aacf-79a3704914a0.json new file mode 100755 index 0000000000..e99da50ff7 --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-90ce3300-758a-11e9-aacf-79a3704914a0.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.direction\",\"negate\":false,\"params\":{\"query\":\"inbound\"},\"type\":\"phrase\",\"value\":\"inbound\"},\"query\":{\"match\":{\"network.direction\":{\"query\":\"inbound\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top attackers (clients) [Logs PANW]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top attackers (clients) [Logs PANW]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-90ce3300-758a-11e9-aacf-79a3704914a0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-a95aaf20-758a-11e9-aacf-79a3704914a0.json b/packages/panw/2.2.2/kibana/visualization/panw-a95aaf20-758a-11e9-aacf-79a3704914a0.json new file mode 100755 index 0000000000..a148bd4a95 --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-a95aaf20-758a-11e9-aacf-79a3704914a0.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.direction\",\"negate\":false,\"params\":{\"query\":\"outbound\"},\"type\":\"phrase\",\"value\":\"outbound\"},\"query\":{\"match\":{\"network.direction\":{\"query\":\"outbound\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top attackers (servers) [Logs PANW]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"server.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top attackers (servers) [Logs PANW]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-a95aaf20-758a-11e9-aacf-79a3704914a0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-d9cab170-756f-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-d9cab170-756f-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..846d4bc515 --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-d9cab170-756f-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":true,\"params\":{\"query\":\"flow_started\"},\"type\":\"phrase\",\"value\":\"flow_started\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"flow_started\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Source Zone breakout [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"observer.ingress.zone\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Source Zone breakout [Logs PANW]\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-d9cab170-756f-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/kibana/visualization/panw-e46331c0-756a-11e9-976e-65a8f47cc4c1.json b/packages/panw/2.2.2/kibana/visualization/panw-e46331c0-756a-11e9-976e-65a8f47cc4c1.json new file mode 100755 index 0000000000..6a2e310cac --- /dev/null +++ b/packages/panw/2.2.2/kibana/visualization/panw-e46331c0-756a-11e9-976e-65a8f47cc4c1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Event Outcome by Transport and Destination Port [Logs PANW]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Event Outcome by Transport and Destination Port [Logs PANW]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "panw-e46331c0-756a-11e9-976e-65a8f47cc4c1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/panw/2.2.2/manifest.yml b/packages/panw/2.2.2/manifest.yml new file mode 100755 index 0000000000..249116c4fd --- /dev/null +++ b/packages/panw/2.2.2/manifest.yml @@ -0,0 +1,50 @@ +name: panw +title: Palo Alto Networks Logs +version: 2.2.2 +release: ga +description: Collect PAN-OS firewall monitoring logs from Palo Alto Networks devices with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^8.2.1 +icons: + - src: /img/logo-integrations-paloalto-networks.svg + title: Palo Alto Networks + size: 216x216 + type: image/svg+xml +screenshots: + - src: /img/filebeat-panw-traffic.png + title: Traffic Dashboard + size: 2546x2888 + type: image/png + - src: /img/filebeat-panw-threat.png + title: Threat Dashboard + size: 2546x2496 + type: image/png +policy_templates: + - name: panw + title: Palo Alto Networks PAN-OS firewall logs + description: Collect logs from Palo Alto Networks PAN-OS firewall + inputs: + - type: tcp + title: "Collect logs via syslog over TCP" + description: "Collecting firewall logs from PAN-OS instances (input: tcp)" + - type: udp + title: "Collect logs via syslog over UDP" + description: "Collecting firewall logs from PAN-OS instances (input: udp)" + - type: logfile + title: "Collect logs via log file" + description: "Collecting logs via log file" + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/pan-os.log +owner: + github: elastic/security-external-integrations diff --git a/packages/pfsense/1.0.1/changelog.yml b/packages/pfsense/1.0.1/changelog.yml new file mode 100755 index 0000000000..a82207b850 --- /dev/null +++ b/packages/pfsense/1.0.1/changelog.yml @@ -0,0 +1,61 @@ +# newer versions go on top +- version: "1.0.1" + changes: + - description: Format client.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3303 +- version: "1.0.0" + changes: + - description: Add OPNsense support. Add PHP-FPM log parsing. + type: bugfix + link: https://github.com/elastic/integrations/pull/2413 +- version: "0.4.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "0.3.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2432 +- version: "0.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2257 +- version: "0.1.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2091 +- version: "0.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1981 +- version: "0.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1842 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/1286 diff --git a/packages/pfsense/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pfsense/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..9241b23255 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +- add_fields: + target: _tmp + fields: + tz_offset: {{tz_offset}} +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/pfsense/1.0.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/pfsense/1.0.1/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..ca515ab199 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +- add_fields: + target: _tmp + fields: + tz_offset: {{tz_offset}} +{{#if internal_networks.length}} + internal_networks: + {{#each internal_networks as |ntwrk i|}} + - {{ntwrk}} + {{/each}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..e520c07032 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,182 @@ +--- +description: Pipeline for PFsense +processors: + - set: + field: ecs.version + value: '8.2.0' + - set: + field: observer.vendor + value: netgate + - set: + field: observer.type + value: firewall + - rename: + field: message + target_field: event.original + - set: + field: event.timezone + value: "{{_tmp.tz_offset}}" + if: ctx?._tmp?.tz_offset != null && ctx?._tmp?.tz_offset != 'local' + - grok: + description: Parse syslog header + field: event.original + patterns: + - '^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}' + pattern_definitions: + ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>(\d )?' + BSD_TIMESTAMP_FORMAT: '%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{OBSERVER})?%{SPACE}%{PROCESS}(\[%{POSINT:process.pid:long}\])?:' + SYSLOG_TIMESTAMP_FORMAT: '%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - -' + TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' + TIMESTAMP: '(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})' + OBSERVER: '(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})' + PROCESS: '(\(%{DATA:process.name}\)|(%{UNIXPATH}/)?%{WORD:process.name})' + - date: + if: ctx?._tmp.timestamp8601 != null + field: _tmp.timestamp8601 + target_field: '@timestamp' + formats: + - ISO8601 + - date: + if: ctx?.event?.timezone != null && ctx?._tmp?.timestamp != null + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - MMM d HH:mm:ss + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + timezone: '{{ event.timezone }}' + - grok: + description: Set Event Provider + field: process.name + patterns: + - '^%{WORD:event.provider}' + - pipeline: + name: '{{ IngestPipeline "firewall" }}' + if: ctx.event.provider == 'filterlog' + - pipeline: + name: '{{ IngestPipeline "openvpn" }}' + if: ctx.event.provider == 'openvpn' + - pipeline: + name: '{{ IngestPipeline "ipsec" }}' + if: ctx.event.provider == 'charon' + - pipeline: + name: '{{ IngestPipeline "dhcp" }}' + if: ctx.event.provider == 'dhcpd' + - pipeline: + name: '{{ IngestPipeline "unbound" }}' + if: ctx.event.provider == 'unbound' + - pipeline: + name: '{{ IngestPipeline "haproxy" }}' + if: ctx.event.provider == 'haproxy' + - pipeline: + name: '{{ IngestPipeline "php-fpm" }}' + if: ctx.event.provider == 'php-fpm' + - pipeline: + name: '{{ IngestPipeline "squid" }}' + if: ctx.event.provider == 'squid' + - drop: + if: '!["filterlog", "openvpn", "charon", "dhcpd", "unbound", "haproxy", "php-fpm", "squid"].contains(ctx?.event?.provider)' + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null + - append: + field: related.ip + value: "{{source.nat.ip}}" + allow_duplicates: false + if: ctx?.source?.nat?.ip != null + - append: + field: related.hosts + value: "{{destination.domain}}" + if: "ctx?.destination?.domain != null" + - append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" + - remove: + field: + - _tmp + ignore_failure: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || (v instanceof String && v == "-")); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - remove: + field: + - _tmp + ignore_failure: true + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml new file mode 100755 index 0000000000..f366964fba --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml @@ -0,0 +1,100 @@ +--- +description: Pipeline for PFsense DHCP logs +processors: + - grok: + field: message + patterns: + - '%{WORD:event.action} %{MIDDLE} via %{INTERFACE:observer.ingress.interface.name}' + - '%{GREEDYDATA}' + pattern_definitions: + INTERFACE: '[a-z0-9\.]+' + MAC_ADDRESS: '([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})' + FROM: 'from %{MAC_ADDRESS:client.mac}' + ON: 'on %{IP:client.address} to %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' + FOR: 'for %{IP:client.address} \(%{IP:server.address}\)? from %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' + MIDDLE: '(?:%{FROM}|%{ON}|%{FOR})' + - set: + field: event.kind + value: event + - append: + field: event.category + value: network + allow_duplicates: false + - append: + field: event.type + value: connection + allow_duplicates: false + - append: + field: event.type + value: protocol + allow_duplicates: false + - append: + field: event.type + value: info + allow_duplicates: false + - set: + field: network.protocol + value: dhcp + - set: + field: network.transport + value: udp + - set: + field: client.port + value: 68 + if: ctx?.client?.port == null + - set: + field: server.port + value: 67 + if: ctx?.server?.port == null + - set: + field: client.ip + value: "{{client.address}}" + ignore_empty_value: true + - set: + field: server.ip + value: "{{server.address}}" + ignore_empty_value: true + - uppercase: + field: client.mac + ignore_missing: true + - gsub: + field: client.mac + pattern: '[:]' + replacement: '-' + ignore_missing: true + - set: + field: source + copy_from: client + ignore_empty_value: true + - set: + field: destination + copy_from: server + ignore_empty_value: true + - community_id: + target_field: network.community_id + ignore_failure: true + - grok: + field: observer.ingress.interface.name + patterns: + - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" + ignore_missing: true + ignore_failure: true + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: "ctx?.source?.ip != null" + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: "ctx?.destination?.ip != null" + - append: + field: related.hosts + value: "{{pfsense.dhcp.hostname}}" + allow_duplicates: false + if: "ctx?.pfsense?.log?.dhcp?.hostname != null" +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml new file mode 100755 index 0000000000..cea025397d --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml @@ -0,0 +1,111 @@ +--- +description: Pipeline for PFsense Firewall logs +processors: + - grok: + field: message + patterns: + - "%{PF_LOG_ENTRY}%{GREEDYDATA}" + pattern_definitions: + PF_LOG_ENTRY: "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}?" + PF_LOG_DATA: "%{INT},%{INT}?,,%{INT:rule.id},%{DATA:observer.ingress.interface.name},%{PF_REASON:event.reason},%{WORD:event.action},%{WORD:network.direction}," + PF_REASON: '[a-zA-Z-]+' + PF_IP_DATA: "%{NONNEGINT:network.bytes:long},%{IP:source.address},%{IP:destination.address}," + PF_IP_SPECIFIC_DATA: "%{PF_IPv4_SPECIFIC_DATA}|%{PF_IPv6_SPECIFIC_DATA}" + PF_IPv4_SPECIFIC_DATA: "(?(4)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.ecn}?,%{NONNEGINT:pfsense.ip.ttl:long},%{NONNEGINT:pfsense.ip.id:long},%{NONNEGINT:pfsense.ip.offset:long},(?:%{WORD:pfsense.ip.flags}|%{PF_SPEC:pfsense.ip.flags}),%{INT:network.iana_number},%{WORD:network.transport}," + PF_IPv6_SPECIFIC_DATA: "(?(6)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.flow_label},%{WORD:pfsense.ip.flags},%{WORD:network.transport},%{INT:network.iana_number}," + PF_PROTOCOL_DATA: "%{PF_TCP_DATA}|%{PF_UDP_DATA}|%{PF_ICMP_DATA}|%{PF_IGMP_DATA}|%{PF_IPv6_VAR}|%{PF_IPv6_ICMP}" + PF_IPv6_VAR: "%{GREEDYDATA}" + PF_IPv6_ICMP: '' + PF_TCP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.tcp.length:long},%{WORD:pfsense.tcp.flags}?,%{NONNEGINT:pfsense.tcp.seq:long}?:?%{NONNEGINT},%{NONNEGINT:pfsense.tcp.ack:long}?,%{NONNEGINT:pfsense.tcp.window:long}?,%{WORD:pfsense.tcp.urg}?,%{GREEDYDATA:pfsense.tcp.options}" + PF_UDP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.udp.length:long}$" + PF_IGMP_DATA: "datalength=%{NONNEGINT:network.packets:long}" + PF_ICMP_DATA: "%{PF_ICMP_TYPE}%{PF_ICMP_RESPONSE}" + PF_ICMP_TYPE: "(?(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply))," + PF_ICMP_RESPONSE: "%{PF_ICMP_ECHO_REQ_REPLY}|%{PF_ICMP_UNREACHPORT}|%{PF_ICMP_UNREACHPROTO}|%{PF_ICMP_UNREACHABLE}|%{PF_ICMP_NEED_FLAG}|%{PF_ICMP_TSTAMP}|%{PF_ICMP_TSTAMP_REPLY}" + PF_ICMP_ECHO_REQ_REPLY: "%{NONNEGINT:pfsense.icmp.id:long},%{NONNEGINT:pfsense.icmp.seq:long}" + PF_ICMP_UNREACHPORT: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:pfsense.icmp.unreachable.iana_number},%{NONNEGINT:pfsense.icmp.unreachable.port:long}" + PF_ICMP_UNREACHPROTO: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:[pfsense.icmp.unreachable.iana_number]}" + PF_ICMP_UNREACHABLE: "%{GREEDYDATA:pfsense.icmp.unreachable.other}" + PF_ICMP_NEED_FLAG: "%{IP:pfsense.icmp.destination.ip},%{NONNEGINT:pfsense.icmp.mtu:long}" + PF_ICMP_TSTAMP: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq}" + PF_ICMP_TSTAMP_REPLY: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq},%{INT:pfsense.icmp.otime},%{INT:pfsense.icmp.rtime},%{INT:pfsense.icmp.ttime}" + PF_SPEC: "[+]" + - set: + field: event.kind + value: event + - append: + field: event.category + value: network + allow_duplicates: false + - set: + field: source.ip + value: "{{source.address}}" + ignore_empty_value: true + - set: + field: destination.ip + value: "{{destination.address}}" + ignore_empty_value: true + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.destination?.ip != null + - append: + field: event.type + value: denied + allow_duplicates: false + if: ctx?.event.action == 'block' + - append: + field: event.type + value: allowed + allow_duplicates: false + if: ctx?.event.action == 'pass' + - set: + field: network.type + value: ipv{{network.type}} + if: ctx?.network?.type == '4' || ctx?.network?.type == '6' + - lowercase: + field: network.transport + ignore_missing: true + - remove: + field: ack_number + ignore_missing: true + if: ctx?.ack_number == null || ctx?.ack_number == '' + - network_direction: + internal_networks_field: _tmp.internal_networks + - community_id: + target_field: network.community_id + ignore_failure: true + - grok: + field: observer.ingress.interface.name + patterns: + - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" + ignore_missing: true + ignore_failure: true + - split: + field: pfsense.tcp.options + separator: ';' + ignore_missing: true + ignore_failure: true + - date: + field: pfsense.icmp.otime + ignore_failure: true + formats: + - UNIX + - UNIX_MS + - date: + field: pfsense.icmp.rtime + ignore_failure: true + formats: + - UNIX + - UNIX_MS + - date: + field: pfsense.icmp.ttime + ignore_failure: true + formats: + - UNIX + - UNIX_MS +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml new file mode 100755 index 0000000000..d499152373 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml @@ -0,0 +1,129 @@ +--- +description: Pipeline for parsing PFsense HAProxy http, tcp and default logs. +processors: + - grok: + field: message + patterns: + - 'Connect from (%{IPORHOST:source.address}|-):%{POSINT:source.port:long} %{WORD} %{IPORHOST:destination.ip}:%{POSINT:destination.port:long} \(%{WORD:haproxy.frontend_name}/%{WORD:haproxy.mode}\)' + - '(%{IPORHOST:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{WORD:haproxy.frontend_name}~ %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} + %{NUMBER:haproxy.http.request.time_wait_ms:long}/%{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:haproxy.http.request.time_wait_without_data_ms:long}/%{NUMBER:temp.duration:long} + %{NUMBER:http.response.status_code:long} %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} + %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long} + (\{%{DATA:haproxy.http.request.captured_headers}\} \{%{DATA:haproxy.http.response.captured_headers}\} |\{%{DATA}\} )?"%{GREEDYDATA:haproxy.http.request.raw_request_line}"' + ignore_missing: false + pattern_definitions: + HAPROXY_DATE: (%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP} + on_failure: + - drop: + description: Drop if not a connection log + - date: + if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone == null + field: haproxy.request_date + target_field: '@timestamp' + formats: + - dd/MMM/yyyy:HH:mm:ss.SSS + - MMM dd HH:mm:ss + - date: + if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone != null + field: haproxy.request_date + target_field: '@timestamp' + formats: + - dd/MMM/yyyy:HH:mm:ss.SSS + - MMM dd HH:mm:ss + timezone: '{{ event.timezone }}' + - remove: + field: haproxy.request_date + - grok: + field: haproxy.http.request.raw_request_line + patterns: + - '%{WORD:http.request.method}%{SPACE}%{URIPATHPARAM:url.original}%{SPACE}HTTP/%{NUMBER:http.version}' + ignore_missing: true + if: 'ctx.haproxy?.http?.request?.raw_request_line != null && !ctx.haproxy?.http?.request?.raw_request_line.isEmpty() && ctx.haproxy?.http?.request?.raw_request_line != ""' + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - split: + field: haproxy.http.request.captured_headers + separator: \| + ignore_failure: true + ignore_missing: true + - split: + field: haproxy.http.response.captured_headers + separator: \| + ignore_failure: true + ignore_missing: true + - script: + lang: painless + source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) + params: + scale: 1000000 + if: ctx.temp?.duration != null + - remove: + field: temp.duration + ignore_missing: true + - convert: + field: haproxy.bytes_read + target_field: http.response.bytes + type: long + ignore_missing: true + if: ctx.containsKey('http') + - set: + field: event.kind + value: event + - append: + field: event.category + value: web + if: "ctx?.haproxy?.mode == 'HTTP' || ctx?.haproxy?.http != null" + - append: + field: event.category + value: network + if: "ctx?.source.ip != null && ctx?.destination?.ip != null" + - append: + field: event.type + value: connection + if: "ctx?.source.ip != null && ctx?.destination?.ip != null" + - set: + field: event.outcome + value: success + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" + - set: + field: event.outcome + value: failure + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml new file mode 100755 index 0000000000..0ee5fae5ce --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml @@ -0,0 +1,44 @@ +--- +description: Pipeline for PFsense IPSEC logs +processors: + - grok: + field: message + patterns: + - '%{PREFIX}%{GREEDYDATA}%{SOURCE} to %{DEST} \(%{NONNEGINT:network.bytes:long} bytes\)' + - '%{GREEDYDATA}' + pattern_definitions: + PREFIX: '\d+\[%{WORD}\]' + SOURCE: '%{IP:source.address}\[%{NONNEGINT:source.port:long}\]' + DEST: '%{IP:destination.address}\[%{NONNEGINT:destination.port:long}\]' + - set: + field: event.kind + value: event + - append: + field: event.category + value: network + allow_duplicates: false + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx?.source?.address != null + - append: + field: event.type + value: end + allow_duplicates: false + if: ctx?.message.toLowerCase().contains('disconnected') + - set: + field: source.ip + value: "{{source.address}}" + ignore_empty_value: true + - set: + field: destination.ip + value: "{{destination.address}}" + ignore_empty_value: true + - set: + field: network.protocol + value: ipsec +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml new file mode 100755 index 0000000000..9afef3ba5d --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml @@ -0,0 +1,53 @@ +--- +description: Pipeline for PFsense OpenVPN logs +processors: + - grok: + field: message + patterns: + - '%{SOURCE}%{SPACE}peer%{SPACE}info:%{SPACE}%{GREEDYDATA:pfsense.openvpn.peer_info}' + - '%{SOURCE}%{SPACE}\[%{USERNAME:user.name}\]%{SPACE}%{GREEDYDATA}' + - "user%{SPACE}'%{USERNAME:user.name}'%{GREEDYDATA}" + - '%{USERNAME:user.name}/%{SOURCE}%{DATA}IPv4=(%{IP:source.nat.ip}|%{GREEDYDATA}),%{SPACE}IPv6=(%{IP:source.nat.ip}|%{GREEDYDATA})' + - '%{GREEDYDATA}%{SOURCE}' + - '%{GREEDYDATA}' + pattern_definitions: + SOURCE: '%{IP:source.address}:%{NONNEGINT:source.port:long}' + USERNAME: '[a-zA-Z0-9._-]+' + - set: + field: event.kind + value: event + - append: + field: event.category + value: network + allow_duplicates: false + - append: + field: event.category + value: authentication + allow_duplicates: false + if: ctx?.message.contains('auth') + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx?.source?.address != null + - append: + field: event.type + value: error + allow_duplicates: false + if: ctx?.message.toLowerCase().contains('error') || ctx?.message.toLowerCase().contains('not auth') + - append: + field: event.type + value: start + allow_duplicates: false + if: ctx?.message.toLowerCase().contains('initiat') + - set: + field: source.ip + value: "{{source.address}}" + ignore_empty_value: true + - set: + field: network.protocol + value: openvpn +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml new file mode 100755 index 0000000000..7570a1da68 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml @@ -0,0 +1,46 @@ +--- +description: Pipeline for PFsense PHP-FPM logs +processors: + - grok: + field: message + patterns: + - '^%{DATA}: %{PF_APP_DATA}' + - '^%{GREEDYDATA}' + pattern_definitions: + PF_APP_DATA: '(%{PF_APP_LOGIN}|%{PF_APP_LOGOUT}|%{PF_APP_ERROR})' + PF_APP_LOGIN: "(%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address} \\(%{DATA}\\)" + PF_APP_LOGOUT: "User (%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address}" + PF_APP_ERROR: "webConfigurator %{DATA:_tmp.action} for user '%{DATA:user.name}' from: %{IP:source.address}" + - set: + field: event.kind + value: event + - append: + field: event.category + value: authentication + allow_duplicates: false + - set: + field: event.outcome + value: success + if: 'ctx._tmp?.action.toLowerCase().contains("success")' + - set: + field: event.outcome + value: failure + if: 'ctx._tmp?.action.toLowerCase().contains("authentication error")' + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + ignore_failure: true + - rename: + field: observer.ip + target_field: host.ip + ignore_missing: true + - rename: + field: observer.name + target_field: host.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/squid.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/squid.yml new file mode 100755 index 0000000000..29e8bbee97 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/squid.yml @@ -0,0 +1,90 @@ +--- +description: Pipeline for parsing PFsense Squid logs. +processors: + - grok: + field: message + patterns: + - '%{IPORHOST:source.address} %{NOTSPACE:squid.request_status}/%{NUMBER:http.response.status_code:long} %{NUMBER:http.response.bytes:long} %{NOTSPACE:http.request.method} (%{URI:url.original})?%{SPACE}%{NOTSPACE:http.request.referrer}%{SPACE}%{NOTSPACE:squid.hierarchy_status}/%{IPORHOST:destination.address}%{SPACE}%{NOTSPACE:http.response.mime_type}' + ignore_missing: false + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +# - split: +# field: haproxy.http.request.captured_headers +# separator: \| +# ignore_failure: true +# ignore_missing: true +# - split: +# field: haproxy.http.response.captured_headers +# separator: \| +# ignore_failure: true +# ignore_missing: true +# - script: +# lang: painless +# source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) +# params: +# scale: 1000000 +# if: ctx.temp?.duration != null +# - remove: +# field: temp.duration +# ignore_missing: true +# - convert: +# field: haproxy.bytes_read +# target_field: http.response.bytes +# type: long +# ignore_missing: true +# if: ctx.containsKey('http') + - set: + field: event.kind + value: event + - append: + field: event.category + value: web + - append: + field: event.category + value: network + - set: + field: event.outcome + value: success + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" + - set: + field: event.outcome + value: failure + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml new file mode 100755 index 0000000000..5bdbdb6d2e --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml @@ -0,0 +1,70 @@ +--- +description: Pipeline for PFsense Unbound DNS logs +processors: + - grok: + field: message + patterns: + - '%{LOGLEVEL:log.level}: %{IP:source.address} %{HOSTNAME:_tmp.question.name}(\.) %{WORD:_tmp.question.type} %{WORD:_tmp.question.class}' + on_failure: + - drop: + description: Drop if not a query log + - set: + field: event.kind + value: event + - append: + field: event.category + value: network + allow_duplicates: false + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx?.source?.address != null + - append: + field: event.type + value: end + allow_duplicates: false + if: ctx?.message.toLowerCase().contains('disconnected') + - set: + field: network.protocol + value: dns + - set: + field: dns.type + value: question + if: ctx?._tmp?.question?.name != null + - registered_domain: + field: _tmp.question.name + target_field: dns.question + ignore_missing: true + - rename: + field: dns.question.domain + target_field: dns.question.name + ignore_missing: true + - rename: + field: _tmp.question.type + target_field: dns.question.type + ignore_missing: true + - rename: + field: _tmp.question.class + target_field: dns.question.class + ignore_missing: true + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + - set: + field: client + copy_from: source + ignore_empty_value: true + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.1/data_stream/log/fields/agent.yml b/packages/pfsense/1.0.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..c961daeee1 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: hostname + type: keyword + description: Hostname from syslog header. +- name: log.source.address + type: keyword + description: Source address of the syslog message. +- name: process.program + type: keyword + description: Process from syslog header. diff --git a/packages/pfsense/1.0.1/data_stream/log/fields/base-fields.yml b/packages/pfsense/1.0.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..8007b1ad5b --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: pfsense +- name: event.dataset + type: constant_keyword + description: Event dataset + value: pfsense.log diff --git a/packages/pfsense/1.0.1/data_stream/log/fields/ecs.yml b/packages/pfsense/1.0.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..76d91edc71 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,565 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + ignore_above: 1024 + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + name: client.geo.location + type: geo_point +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: client.mac + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Size in bytes of the request body. + name: http.request.body.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: |- + Mime type of the body of the response. + This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. + name: http.response.mime_type + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: Type of Filebeat input. + name: input.type + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: VLAN ID as reported by the observer. + name: observer.ingress.vlan.id + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: String indicating the cipher used during the current connection. + name: tls.cipher + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: Normalized lowercase protocol name parsed from original string. + name: tls.version_protocol + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/pfsense/1.0.1/data_stream/log/fields/fields.yml b/packages/pfsense/1.0.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..7a350eba17 --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/fields/fields.yml @@ -0,0 +1,256 @@ +- name: pfsense.ip + type: group + fields: + - name: tos + type: keyword + description: | + IP Type of Service identification. + - name: ecn + type: keyword + description: | + Explicit Congestion Notification. + - name: ttl + type: long + description: | + Time To Live (TTL) of the packet + - name: id + type: long + description: | + ID of the packet + - name: offset + type: long + description: | + Fragment offset + - name: flags + type: keyword + description: | + IP flags. + - name: flow_label + type: keyword + description: | + Flow label +- name: pfsense.tcp + type: group + fields: + - name: flags + type: keyword + description: | + TCP flags. + - name: seq + type: long + description: | + TCP sequence number. + - name: ack + type: long + description: | + TCP Acknowledgment number. + - name: window + type: long + description: | + Advertised TCP window size. + - name: urg + type: keyword + description: | + Urgent pointer data. + - name: options + type: array + description: | + TCP Options. + - name: length + type: long + description: | + Length of the TCP header and payload. +- name: pfsense.udp + type: group + fields: + - name: length + type: long + description: | + Length of the UDP header and payload. +- name: pfsense.icmp + type: group + fields: + - name: type + type: keyword + description: | + ICMP type. + - name: id + type: long + description: | + ID of the echo request/reply + - name: destination.ip + type: ip + description: Original destination address of the connection that caused this notification + - name: mtu + type: long + description: MTU to use for subsequent data to this destination + - name: otime + type: date + description: Originate Timestamp + - name: rtime + type: date + description: Receive Timestamp + - name: ttime + type: date + description: Transmit Timestamp + - name: unreachable + type: group + fields: + - name: iana_number + type: long + description: | + Protocol ID number that was unreachable + - name: port + type: long + description: | + Port number that was unreachable + - name: other + type: keyword + description: | + Other unreachable information + - name: code + type: long + description: | + ICMP code. + - name: parameter + type: long + description: | + ICMP parameter. + - name: redirect + type: ip + description: | + ICMP redirect address. + - name: seq + type: long + description: | + ICMP sequence number. +- name: pfsense.dhcp.hostname + type: keyword + description: | + Hostname of DHCP client +- name: pfsense.openvpn.peer_info + type: keyword + description: |- + Information about the Open VPN client +- name: haproxy + type: group + fields: + - name: frontend_name + type: keyword + description: Name of the frontend (or listener) which received and processed the connection. + - name: backend_name + type: keyword + description: Name of the backend (or listener) which was selected to manage the connection to the server. + - name: server_name + type: keyword + description: Name of the last server to which the connection was sent. + - name: total_waiting_time_ms + type: long + description: Total time in milliseconds spent waiting in the various queues + - name: connection_wait_time_ms + type: long + description: Total time in milliseconds spent waiting for the connection to establish to the final server + - name: bytes_read + type: long + description: Total number of bytes transmitted to the client when the log is emitted. + - name: time_queue + type: long + description: Total time in milliseconds spent waiting in the various queues. + - name: time_backend_connect + type: long + description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. + - name: server_queue + type: long + description: Total number of requests which were processed before this one in the server queue. + - name: backend_queue + type: long + description: Total number of requests which were processed before this one in the backend's global queue. + - name: bind_name + type: keyword + description: Name of the listening address which received the connection. + - name: error_message + type: text + description: Error message logged by HAProxy in case of error. + - name: source + type: keyword + description: The HAProxy source of the log + - name: termination_state + type: keyword + description: Condition the session was in when the session ended. + - name: mode + type: keyword + description: mode that the frontend is operating (TCP or HTTP) + - name: connections + type: group + fields: + - name: active + type: long + description: Total number of concurrent connections on the process when the session was logged. + - name: frontend + type: long + description: Total number of concurrent connections on the frontend when the session was logged. + - name: backend + type: long + description: Total number of concurrent connections handled by the backend when the session was logged. + - name: server + type: long + description: Total number of concurrent connections still active on the server when the session was logged. + - name: retries + type: long + description: Number of connection retries experienced by this session when trying to connect to the server. + - name: client + type: group + - name: destination + type: group + - name: geoip + type: group +- name: haproxy.http + type: group + fields: + - name: response + type: group + fields: + - name: captured_cookie + type: keyword + description: | + Optional "name=value" entry indicating that the client had this cookie in the response. + - name: captured_headers + type: keyword + description: | + List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. + - name: request + type: group + fields: + - name: captured_cookie + type: keyword + description: | + Optional "name=value" entry indicating that the server has returned a cookie with its request. + - name: captured_headers + type: keyword + description: | + List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. + - name: raw_request_line + type: keyword + description: Complete HTTP request line, including the method, request and HTTP version string. + - name: time_wait_without_data_ms + type: long + description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. + - name: time_wait_ms + type: long + description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. +- name: haproxy.tcp + type: group + fields: + - name: connection_waiting_time_ms + type: long + description: Total time in milliseconds elapsed between the accept and the last close +- name: squid + type: group + fields: + - name: request_status + type: keyword + description: | + The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). + - name: hierarchy_status + type: keyword + description: The proxy hierarchy route; the route Content Gateway used to retrieve the object. diff --git a/packages/pfsense/1.0.1/data_stream/log/manifest.yml b/packages/pfsense/1.0.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..1b65cbac0b --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/manifest.yml @@ -0,0 +1,140 @@ +type: logs +title: pfSense log logs +release: experimental +streams: + - input: udp + template_path: udp.yml.hbs + title: pfSense syslog logs + description: Collect pfsense logs using udp input + vars: + - name: syslog_host + type: text + title: Syslog Host + description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + description: The UDP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. + multi: false + required: true + show_user: true + default: 9001 + - name: internal_networks + type: text + title: Internal Networks + multi: true + required: false + show_user: true + default: + - private + description: The internal IP subnet(s) of the network. + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - pfsense + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + template_path: tcp.yml.hbs + title: pfSense syslog logs + description: Collect pfsense logs using tcp input + enabled: false + vars: + - name: syslog_host + type: text + title: Syslog Host + description: The interface to listen to TCP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + description: The TCP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. + multi: false + required: true + show_user: true + default: 9001 + - name: internal_networks + type: text + title: Internal Networks + multi: true + required: false + show_user: true + default: + - private + description: The internal IP subnet(s) of the network. + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - pfsense + - forwarded + - name: ssl + type: yaml + title: TLS configuration + multi: false + required: false + show_user: true + description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/pfsense/1.0.1/data_stream/log/sample_event.json b/packages/pfsense/1.0.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..6f70d5817e --- /dev/null +++ b/packages/pfsense/1.0.1/data_stream/log/sample_event.json @@ -0,0 +1,135 @@ +{ + "@timestamp": "2021-07-04T00:10:14.578Z", + "agent": { + "ephemeral_id": "238d98ab-083f-4ff7-990f-1651450ce860", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "pfsense.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "175.16.199.1", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 853 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "block", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "pfsense.log", + "ingested": "2022-05-09T17:35:12Z", + "kind": "event", + "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale\n", + "provider": "filterlog", + "reason": "match", + "timezone": "-05:00", + "type": [ + "connection", + "denied" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.4:58663" + }, + "syslog": { + "priority": 134 + } + }, + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", + "network": { + "bytes": 60, + "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", + "direction": "outbound", + "iana_number": "6", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "ingress": { + "interface": { + "name": "igb1.12" + }, + "vlan": { + "id": "12" + } + }, + "name": "pfSense.example.com", + "type": "firewall", + "vendor": "netgate" + }, + "pfsense": { + "ip": { + "flags": "DF", + "id": 32989, + "offset": 0, + "tos": "0x0", + "ttl": 63 + }, + "tcp": { + "flags": "S", + "length": 0, + "options": [ + "mss", + "sackOK", + "TS", + "nop", + "wscale" + ], + "window": 64240 + } + }, + "process": { + "name": "filterlog", + "pid": 72237 + }, + "related": { + "ip": [ + "175.16.199.1", + "10.170.12.50" + ] + }, + "rule": { + "id": "1535324496" + }, + "source": { + "address": "10.170.12.50", + "ip": "10.170.12.50", + "port": 49652 + }, + "tags": [ + "preserve_original_event", + "pfsense", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/docs/README.md b/packages/pfsense/1.0.1/docs/README.md new file mode 100755 index 0000000000..bcdfbd09f3 --- /dev/null +++ b/packages/pfsense/1.0.1/docs/README.md @@ -0,0 +1,430 @@ +# pfSense Integration + +This is an integration to parse certain logs from PFsense and OPNsense firewalls. It parses logs +received over the network via syslog (UDP/TCP/TLS). pfSense natively only supports UDP. OPNsense supports all 3 transports. +Currently the integration supports parsing the Firewall, Unbound, DHCP Daemon, OpenVPN, IPsec, HAProxy, Squid, and PHP-FPM (Authentication) logs. All other events will be dropped. +The HAProxy logs are setup to be compatible with the dashboards from the HAProxy integration. Install the HAPrxoy integration assets to utilize them. + +**pfSense Setup** +1. Navigate to _Status -> System Logs_, then click on _Settings_ +2. At the bottom check _Enable Remote Logging_ +3. (Optional) Select a specific interface to use for forwarding +4. Input the agent IP address and port as set via the integration config into the field _Remote log servers_ (e.g. 192.168.100.50:5140) +5. Under _Remote Syslog Contents_ select what logs to forward to the agent + * Select _Everything_ to forward all logs to the agent or select the individual services to forward. Any log entry not in the list above will be dropped. This will cause additional data to be sent to the agent and Elasticsearch. The firewall, VPN, DHCP, DNS, and Authentication (PHP-FPM) logs are able to be individually selected. In order to collect HAProxy and Squid or other "package" logs, the _Everything_ option must be selected. + +**OPNsense Setup** +1. Navigate to _System -> Settings -> Logging/Targets_ +2. Add a new _Logging/Target_ (Click the plus icon) + - Transport = UDP or TCP or TLS + - Applications = Select a list of applications to send to remote syslog. Leave empty for all. + - Levels = Nothing Selected + - Facilities = Nothing Selected + - Hostname = IP of Elastic agent as configured in the integration config + - Port = Port of Elastic agent as configured in the integration config + - Certificate = Client certificate to use (when selecting a tls transport type) + - Description = Syslog to Elasticsearch + - Click Save + + The module is by default configured to run with the `udp` input on port `9001`. + +**Important** +The pfSense integration supports both the BSD logging format (used by pfSense by default and OPNsense) and the Syslog format (optional for pfSense). +However the syslog format is recommended. It will provide the firewall hostname and timestamps with timezone information. +When using the BSD format, the `Timezone Offset` config must be set when deploying the agent or else the timezone will default to the timezone of the agent. See `https:///status_logs_settings.php` and https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html for more information. + + +A huge thanks to [a3ilson](https://github.com/a3ilson) for the https://github.com/pfelk/pfelk repo which is the foundation for the majority of the grok patterns and dashboards in this integration. +## Logs + +### pfSense log + +This is the pfSense `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2021-07-04T00:10:14.578Z", + "agent": { + "ephemeral_id": "238d98ab-083f-4ff7-990f-1651450ce860", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "pfsense.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "175.16.199.1", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 853 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "block", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "pfsense.log", + "ingested": "2022-05-09T17:35:12Z", + "kind": "event", + "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale\n", + "provider": "filterlog", + "reason": "match", + "timezone": "-05:00", + "type": [ + "connection", + "denied" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.4:58663" + }, + "syslog": { + "priority": 134 + } + }, + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", + "network": { + "bytes": 60, + "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", + "direction": "outbound", + "iana_number": "6", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "ingress": { + "interface": { + "name": "igb1.12" + }, + "vlan": { + "id": "12" + } + }, + "name": "pfSense.example.com", + "type": "firewall", + "vendor": "netgate" + }, + "pfsense": { + "ip": { + "flags": "DF", + "id": 32989, + "offset": 0, + "tos": "0x0", + "ttl": 63 + }, + "tcp": { + "flags": "S", + "length": 0, + "options": [ + "mss", + "sackOK", + "TS", + "nop", + "wscale" + ], + "window": 64240 + } + }, + "process": { + "name": "filterlog", + "pid": 72237 + }, + "related": { + "ip": [ + "175.16.199.1", + "10.170.12.50" + ] + }, + "rule": { + "id": "1535324496" + }, + "source": { + "address": "10.170.12.50", + "ip": "10.170.12.50", + "port": 49652 + }, + "tags": [ + "preserve_original_event", + "pfsense", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.port | Port of the client. | long | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| haproxy.backend_name | Name of the backend (or listener) which was selected to manage the connection to the server. | keyword | +| haproxy.backend_queue | Total number of requests which were processed before this one in the backend's global queue. | long | +| haproxy.bind_name | Name of the listening address which received the connection. | keyword | +| haproxy.bytes_read | Total number of bytes transmitted to the client when the log is emitted. | long | +| haproxy.connection_wait_time_ms | Total time in milliseconds spent waiting for the connection to establish to the final server | long | +| haproxy.connections.active | Total number of concurrent connections on the process when the session was logged. | long | +| haproxy.connections.backend | Total number of concurrent connections handled by the backend when the session was logged. | long | +| haproxy.connections.frontend | Total number of concurrent connections on the frontend when the session was logged. | long | +| haproxy.connections.retries | Number of connection retries experienced by this session when trying to connect to the server. | long | +| haproxy.connections.server | Total number of concurrent connections still active on the server when the session was logged. | long | +| haproxy.error_message | Error message logged by HAProxy in case of error. | text | +| haproxy.frontend_name | Name of the frontend (or listener) which received and processed the connection. | keyword | +| haproxy.http.request.captured_cookie | Optional "name=value" entry indicating that the server has returned a cookie with its request. | keyword | +| haproxy.http.request.captured_headers | List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. | keyword | +| haproxy.http.request.raw_request_line | Complete HTTP request line, including the method, request and HTTP version string. | keyword | +| haproxy.http.request.time_wait_ms | Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. | long | +| haproxy.http.request.time_wait_without_data_ms | Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. | long | +| haproxy.http.response.captured_cookie | Optional "name=value" entry indicating that the client had this cookie in the response. | keyword | +| haproxy.http.response.captured_headers | List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. | keyword | +| haproxy.mode | mode that the frontend is operating (TCP or HTTP) | keyword | +| haproxy.server_name | Name of the last server to which the connection was sent. | keyword | +| haproxy.server_queue | Total number of requests which were processed before this one in the server queue. | long | +| haproxy.source | The HAProxy source of the log | keyword | +| haproxy.tcp.connection_waiting_time_ms | Total time in milliseconds elapsed between the accept and the last close | long | +| haproxy.termination_state | Condition the session was in when the session ended. | keyword | +| haproxy.time_backend_connect | Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. | long | +| haproxy.time_queue | Total time in milliseconds spent waiting in the various queues. | long | +| haproxy.total_waiting_time_ms | Total time in milliseconds spent waiting in the various queues | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| hostname | Hostname from syslog header. | keyword | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.source.address | Source address of the syslog message. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| pfsense.dhcp.hostname | Hostname of DHCP client | keyword | +| pfsense.icmp.code | ICMP code. | long | +| pfsense.icmp.destination.ip | Original destination address of the connection that caused this notification | ip | +| pfsense.icmp.id | ID of the echo request/reply | long | +| pfsense.icmp.mtu | MTU to use for subsequent data to this destination | long | +| pfsense.icmp.otime | Originate Timestamp | date | +| pfsense.icmp.parameter | ICMP parameter. | long | +| pfsense.icmp.redirect | ICMP redirect address. | ip | +| pfsense.icmp.rtime | Receive Timestamp | date | +| pfsense.icmp.seq | ICMP sequence number. | long | +| pfsense.icmp.ttime | Transmit Timestamp | date | +| pfsense.icmp.type | ICMP type. | keyword | +| pfsense.icmp.unreachable.iana_number | Protocol ID number that was unreachable | long | +| pfsense.icmp.unreachable.other | Other unreachable information | keyword | +| pfsense.icmp.unreachable.port | Port number that was unreachable | long | +| pfsense.ip.ecn | Explicit Congestion Notification. | keyword | +| pfsense.ip.flags | IP flags. | keyword | +| pfsense.ip.flow_label | Flow label | keyword | +| pfsense.ip.id | ID of the packet | long | +| pfsense.ip.offset | Fragment offset | long | +| pfsense.ip.tos | IP Type of Service identification. | keyword | +| pfsense.ip.ttl | Time To Live (TTL) of the packet | long | +| pfsense.openvpn.peer_info | Information about the Open VPN client | keyword | +| pfsense.tcp.ack | TCP Acknowledgment number. | long | +| pfsense.tcp.flags | TCP flags. | keyword | +| pfsense.tcp.length | Length of the TCP header and payload. | long | +| pfsense.tcp.options | TCP Options. | array | +| pfsense.tcp.seq | TCP sequence number. | long | +| pfsense.tcp.urg | Urgent pointer data. | keyword | +| pfsense.tcp.window | Advertised TCP window size. | long | +| pfsense.udp.length | Length of the UDP header and payload. | long | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| process.program | Process from syslog header. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.port | Port of the source. | long | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.id | Unique identifier of the user. | keyword | +| squid.hierarchy_status | The proxy hierarchy route; the route Content Gateway used to retrieve the object. | keyword | +| squid.request_status | The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + diff --git a/packages/pfsense/1.0.1/img/dhcp.png b/packages/pfsense/1.0.1/img/dhcp.png new file mode 100755 index 0000000000..3f73f8f3f4 Binary files /dev/null and b/packages/pfsense/1.0.1/img/dhcp.png differ diff --git a/packages/pfsense/1.0.1/img/firewall.png b/packages/pfsense/1.0.1/img/firewall.png new file mode 100755 index 0000000000..c98b30b09d Binary files /dev/null and b/packages/pfsense/1.0.1/img/firewall.png differ diff --git a/packages/pfsense/1.0.1/img/pfsense.svg b/packages/pfsense/1.0.1/img/pfsense.svg new file mode 100755 index 0000000000..f63b99ab31 --- /dev/null +++ b/packages/pfsense/1.0.1/img/pfsense.svg @@ -0,0 +1,22 @@ + + + + + + image/svg+xml + + pfSense Logo + + + + pfSense Logo + + + + + + + + + + diff --git a/packages/pfsense/1.0.1/img/unbound-1.png b/packages/pfsense/1.0.1/img/unbound-1.png new file mode 100755 index 0000000000..cc53e8aa49 Binary files /dev/null and b/packages/pfsense/1.0.1/img/unbound-1.png differ diff --git a/packages/pfsense/1.0.1/img/unbound-2.png b/packages/pfsense/1.0.1/img/unbound-2.png new file mode 100755 index 0000000000..eaa51ee3df Binary files /dev/null and b/packages/pfsense/1.0.1/img/unbound-2.png differ diff --git a/packages/pfsense/1.0.1/img/unbound-3.png b/packages/pfsense/1.0.1/img/unbound-3.png new file mode 100755 index 0000000000..838bfdc6bf Binary files /dev/null and b/packages/pfsense/1.0.1/img/unbound-3.png differ diff --git a/packages/pfsense/1.0.1/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..47067b4828 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"w\":34,\"x\":0,\"y\":0},\"panelIndex\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"panelRefName\":\"panel_73294aad-e475-4a63-97d1-fc214a83bb0a\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"w\":14,\"x\":34,\"y\":0},\"panelIndex\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"panelRefName\":\"panel_46725bb5-e239-4fa2-8dfd-4de947863354\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"w\":14,\"x\":34,\"y\":6},\"panelIndex\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"panelRefName\":\"panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"panelRefName\":\"panel_a7662c6e-94d5-4062-85f4-0132897f3578\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"panelRefName\":\"panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"27569da9-7531-40cf-be93-8778738b68be\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"27569da9-7531-40cf-be93-8778738b68be\",\"panelRefName\":\"panel_27569da9-7531-40cf-be93-8778738b68be\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"columns\":[\"log.level\",\"client.ip\",\"dns.question.name\",\"dns.question.type\",\"dns.question.class\"],\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"w\":30,\"x\":0,\"y\":46},\"panelIndex\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"panelRefName\":\"panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"w\":18,\"x\":30,\"y\":46},\"panelIndex\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"panelRefName\":\"panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "Unbound - Dashboard [pfSense]", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-986061c0-3a9a-11eb-96b2-e765737b7534", + "migrationVersion": { + "dashboard": "7.14.0" + }, + "references": [ + { + "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", + "name": "73294aad-e475-4a63-97d1-fc214a83bb0a:panel_73294aad-e475-4a63-97d1-fc214a83bb0a", + "type": "visualization" + }, + { + "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", + "name": "46725bb5-e239-4fa2-8dfd-4de947863354:panel_46725bb5-e239-4fa2-8dfd-4de947863354", + "type": "visualization" + }, + { + "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", + "name": "f39b1b4c-b444-4d25-a8c5-a78b6285025f:panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f", + "type": "visualization" + }, + { + "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", + "name": "a7662c6e-94d5-4062-85f4-0132897f3578:panel_a7662c6e-94d5-4062-85f4-0132897f3578", + "type": "visualization" + }, + { + "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", + "name": "763610d2-c8aa-4ab9-9a63-112e2471dcfc:panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc", + "type": "visualization" + }, + { + "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", + "name": "27569da9-7531-40cf-be93-8778738b68be:panel_27569da9-7531-40cf-be93-8778738b68be", + "type": "visualization" + }, + { + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "name": "7ea4ebda-9d0c-4885-9c37-71cd0665497f:panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f", + "type": "search" + }, + { + "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", + "name": "6a32114d-577c-488b-b1e9-b7b4fc8941ae:panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..7bb13ddc75 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"w\":16,\"x\":0,\"y\":7},\"panelIndex\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"w\":17,\"x\":16,\"y\":0},\"panelIndex\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"w\":15,\"x\":33,\"y\":7},\"panelIndex\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"w\":33,\"x\":0,\"y\":14},\"panelIndex\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"w\":15,\"x\":33,\"y\":14},\"panelIndex\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"w\":33,\"x\":0,\"y\":28},\"panelIndex\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"w\":15,\"x\":33,\"y\":28},\"panelIndex\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"panelRefName\":\"panel_8\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.vlan.id\",\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"rule.id\",\"event.action\"],\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"w\":48,\"x\":0,\"y\":43},\"panelIndex\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"panelRefName\":\"panel_9\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"panelRefName\":\"panel_10\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"panelRefName\":\"panel_11\",\"version\":\"7.11.0\"}]", + "timeRestore": false, + "title": "Firewall - Dashboard [pfSense]", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534", + "migrationVersion": { + "dashboard": "7.14.0" + }, + "references": [ + { + "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", + "name": "panel_1", + "type": "lens" + }, + { + "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", + "name": "panel_5", + "type": "lens" + }, + { + "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "name": "panel_9", + "type": "search" + }, + { + "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", + "name": "panel_11", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..133ffa4a16 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"w\":35,\"x\":0,\"y\":0},\"panelIndex\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"panelRefName\":\"panel_2b46d706-0288-4541-8880-ccb2efeeee92\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"panelRefName\":\"panel_6018121a-9303-4c73-9c96-d23362cdc74d\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"panelRefName\":\"panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"w\":13,\"x\":35,\"y\":14},\"panelIndex\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"panelRefName\":\"panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"w\":32,\"x\":0,\"y\":22},\"panelIndex\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"panelRefName\":\"panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"w\":16,\"x\":32,\"y\":22},\"panelIndex\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"panelRefName\":\"panel_5b500115-4722-432b-8d67-38b1a948c1d5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"w\":16,\"x\":0,\"y\":36},\"panelIndex\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"panelRefName\":\"panel_aa85065f-1b07-468c-b264-1231b59be97b\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"w\":32,\"x\":16,\"y\":36},\"panelIndex\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"panelRefName\":\"panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.interface.name\",\"event.action\",\"client.ip\",\"client.mac\",\"pfsense.dhcp.hostname\"],\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"panelRefName\":\"panel_73ea92c6-7373-4121-a255-1ed2e43010c1\",\"type\":\"search\",\"version\":\"7.10.0\"}]", + "timeRestore": false, + "title": "DHCP - Dashboard [pfSense]", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534", + "migrationVersion": { + "dashboard": "7.14.0" + }, + "references": [ + { + "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", + "name": "2b46d706-0288-4541-8880-ccb2efeeee92:panel_2b46d706-0288-4541-8880-ccb2efeeee92", + "type": "visualization" + }, + { + "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", + "name": "6018121a-9303-4c73-9c96-d23362cdc74d:panel_6018121a-9303-4c73-9c96-d23362cdc74d", + "type": "visualization" + }, + { + "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", + "name": "b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082:panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082", + "type": "visualization" + }, + { + "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", + "name": "d9f98967-4e91-4eef-9a43-9caaeeebe6f8:panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8", + "type": "visualization" + }, + { + "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", + "name": "20e8c75c-3e93-42ab-b5c5-6ad814b64151:panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151", + "type": "visualization" + }, + { + "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", + "name": "5b500115-4722-432b-8d67-38b1a948c1d5:panel_5b500115-4722-432b-8d67-38b1a948c1d5", + "type": "visualization" + }, + { + "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", + "name": "aa85065f-1b07-468c-b264-1231b59be97b:panel_aa85065f-1b07-468c-b264-1231b59be97b", + "type": "visualization" + }, + { + "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", + "name": "22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5:panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5", + "type": "visualization" + }, + { + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "name": "73ea92c6-7373-4121-a255-1ed2e43010c1:panel_73ea92c6-7373-4121-a255-1ed2e43010c1", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..0e6f2067c4 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "Treemap depicting the top 10 countries by destination ", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778": { + "columnOrder": [ + "9d13ff42-0a6d-4cb4-bff4-bbd64836de35", + "57fc4315-85f4-4449-a8bd-308ec2e81e68" + ], + "columns": { + "57fc4315-85f4-4449-a8bd-308ec2e81e68": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "9d13ff42-0a6d-4cb4-bff4-bbd64836de35": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of destination.geo.country_name", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "57fc4315-85f4-4449-a8bd-308ec2e81e68", + "type": "column" + }, + "orderDirection": "desc", + "size": 5 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_name" + } + } + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "9d13ff42-0a6d-4cb4-bff4-bbd64836de35" + ], + "layerId": "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", + "legendDisplay": "default", + "metric": "57fc4315-85f4-4449-a8bd-308ec2e81e68", + "nestedLegend": false, + "numberDisplay": "percent", + "percentDecimals": 0 + } + ], + "shape": "treemap" + } + }, + "title": "Firewall - Top Destination Countries/Treemap (Lens) [pfSense]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", + "migrationVersion": { + "lens": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..02f2a08f36 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "description": "Events over time line chart utilizing the LENS virtualization", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "25e5682a-0461-46dc-aa0a-7ad4cec0eade": { + "columnOrder": [ + "f718697e-acee-4bfd-99f4-3406e224ed7f", + "440112fe-405a-4b46-840e-2b9772961acc", + "31549313-ebc1-427a-9913-3f6f78594221" + ], + "columns": { + "31549313-ebc1-427a-9913-3f6f78594221": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "440112fe-405a-4b46-840e-2b9772961acc": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f718697e-acee-4bfd-99f4-3406e224ed7f": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of event.action", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "31549313-ebc1-427a-9913-3f6f78594221", + "type": "column" + }, + "orderDirection": "desc", + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + } + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "31549313-ebc1-427a-9913-3f6f78594221" + ], + "layerId": "25e5682a-0461-46dc-aa0a-7ad4cec0eade", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "f718697e-acee-4bfd-99f4-3406e224ed7f", + "xAccessor": "440112fe-405a-4b46-840e-2b9772961acc" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + } + } + }, + "title": "Firewall - Events/Time (Lens) [pfSense]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", + "migrationVersion": { + "lens": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-25e5682a-0461-46dc-aa0a-7ad4cec0eade", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..a455496aa4 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "columns": [], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"filterlog\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"filterlog\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [], + "title": "Firewall - Discover [pfSense]", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..2476202065 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "columns": [], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"dhcpd\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"dhcpd\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [], + "title": "DHCP - Discover [pfSense]", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json b/packages/pfsense/1.0.1/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json new file mode 100755 index 0000000000..133d3caa85 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "columns": [], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"unbound\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"unbound\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [], + "title": "Unbound - Discover [pfSense]", + "version": 1 + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..e672a59a66 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "DHCP - Client IP/Time [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Client IP/Time\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..75f6a89eae --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "Select by interface alias", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Interface Selector [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.ingress.interface.name\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Interface Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Interface Selector\",\"type\":\"input_control_vis\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..a3ebaa5ea7 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Unbound dns question types", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unbound - Question Types [pfSense]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"top\",\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Unbound - Question Types [pfSense]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json new file mode 100755 index 0000000000..7f73b1e962 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Firewall Selector [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.name\",\"id\":\"1613404486264\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Firewall Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Firewall Selector\",\"type\":\"input_control_vis\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..bfc06cc851 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "DHCP - Operation/Time [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Operation/Time\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..985d72a2e0 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "Select by network transport type", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Network Transport Type [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"network.transport\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Network Transport Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Network Transport Type\",\"type\":\"input_control_vis\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..cee6c25e13 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Unbound client IP over time", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unbound - Client IP/Time [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unbound - Client IP/Time\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..44a1d15c5a --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "DHCP - Interface [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Interface\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..e4a8a861bc --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Top 10 client IP unbound events", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unbound - Top Client IPs [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Client IPs\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..b3c6b75a69 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Displays quantity of events based on action type", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Firewall - Event Action [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Firewall - Event Action\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..0e0841e17f --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Top 10 domain name question/queries", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unbound - Top Queries [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.registered_domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Queried Domains \",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..ed42e0ac5c --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "DHCP - Client IP [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Client IP\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..e5404d633a --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Heatmap of destination countries", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Firewall - Country Destination/Heatmap [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Destination Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Destination/Heatmap\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..0489e7a517 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "DHCP - IP/MAC Flow [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"client.mac\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"DHCP - IP/MAC Flow\",\"type\":\"vega\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..384f395db3 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Events over type based on network transport type", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Firewall - Network Transport/Time [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport/Time\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Firewall - Network Transport/Time\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..09a7a4ce7a --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Heatmap of source countries", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Firewall - Country Source/Heatmap [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Source Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Source/Heatmap\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..4ce6eca893 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "DHCP - Operation [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Operation\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..bd1ab0a445 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Client IP \u003c-flow-\u003e dns question name", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unbound - DNS Flow [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"dns.question.name\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"Unbound - DNS Flow\",\"type\":\"vega\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..b773f61c44 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Pie chart depicting events by interface alias", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Firewall - Events by Interface [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Firewall - Events by Interface\",\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Firewall - Events by Interface\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..137b895052 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Unbound request heat map by IP address", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unbound - Request Rate [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Unbound - Request Rate\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.1/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json new file mode 100755 index 0000000000..95dfc88834 --- /dev/null +++ b/packages/pfsense/1.0.1/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "Network transport pie chart", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Firewall - Network Transport [pfSense]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"type\":\"pie\"},\"title\":\"Firewall - Network Transport \",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.15.0", + "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/pfsense/1.0.1/manifest.yml b/packages/pfsense/1.0.1/manifest.yml new file mode 100755 index 0000000000..69b14b9e33 --- /dev/null +++ b/packages/pfsense/1.0.1/manifest.yml @@ -0,0 +1,52 @@ +name: pfsense +title: pfSense Logs +version: "1.0.1" +release: ga +description: Collect and parse logs from pfSense and OPNsense devices with Elastic Agent. +type: integration +icons: + - src: /img/pfsense.svg + title: pfsense + size: 512x143 + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: + - network + - security +conditions: + kibana.version: ^7.15.0 || ^8.0.0 +screenshots: + - src: /img/firewall.png + title: pfSense Firewall Dashboard + size: 2993x1646 + type: image/png + - src: /img/dhcp.png + title: pfSense DHCP Dashboard + size: 2999x1640 + type: image/png + - src: /img/unbound-1.png + title: pfSense Unbound Dashboard + size: 1680x763 + type: image/png + - src: /img/unbound-2.png + title: pfSense Unbound Dashboard + size: 1679x833 + type: image/png + - src: /img/unbound-3.png + title: pfSense Unbound Dashboard + size: 1679x904 + type: image/png +policy_templates: + - name: pfsense + title: pfSense logs + description: Collect logs from pfSense systems + inputs: + - type: udp + title: "Collect pfSense logs (input: udp)" + description: "Collecting logs from pfSense systems (input: udp)" + - type: tcp + title: "Collect pfSense logs (input: tcp)" + description: "Collecting logs from pfSense systems (input: tcp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/santa/3.1.0/changelog.yml b/packages/santa/3.1.0/changelog.yml new file mode 100755 index 0000000000..55978f55f4 --- /dev/null +++ b/packages/santa/3.1.0/changelog.yml @@ -0,0 +1,99 @@ +# newer versions go on top +- version: "3.1.0" + changes: + - description: Add `process.entity_id` field. + type: enhancement + link: https://github.com/elastic/integrations/pull/3373 +- version: "3.0.0" + changes: + - description: Update log format to support the GA releases of Santa. The pre-GA Santa log format (circa 2017) is no longer accepted. + type: enhancement + link: https://github.com/elastic/integrations/pull/3347 +- version: "2.1.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "2.0.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2437 + - description: process.ppid replaced with process.parent.pid (breaking change) + type: enhancement + link: https://github.com/elastic/integrations/pull/2437 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2260 +- version: "1.0.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2088 +- version: "1.0.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1984 +- version: "1.0.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1848 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1718 +- version: "0.4.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1676 +- version: "0.3.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1502 +- version: '0.3.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1416 +- version: "0.3.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.2.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1273 +- version: "0.1.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1100 +- version: "0.0.3" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/868 +- version: "0.0.2" + changes: + - description: Fix compatibility with Kibana + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/740 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/440 diff --git a/packages/santa/3.1.0/data_stream/log/agent/stream/log.yml.hbs b/packages/santa/3.1.0/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..376d21fc6c --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +exclude_files: [".gz$"] +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/santa/3.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/santa/3.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..54491ba609 --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,115 @@ +--- +description: Pipeline for parsing Google Santa logs. +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}(\|explain=%{NOT_SEPARATOR:santa.explain})?\|sha256=%{NOT_SEPARATOR:process.hash.sha256}(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:santa.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?' + - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|path=%{NOT_SEPARATOR:file.path}(\|newpath=%{NOT_SEPARATOR:file.target_path})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:santa.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|process=%{NOT_SEPARATOR:process.name}\|processpath=%{NOT_SEPARATOR:process.executable}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}' + - '\[%{TIMESTAMP_ISO8601:timestamp}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|mount=%{NOT_SEPARATOR:santa.disk.mount}?\|volume=%{NOT_SEPARATOR:santa.disk.volume}\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}?(\|fs=%{NOT_SEPARATOR:santa.disk.fs})?(\|model=%{NOT_SEPARATOR:santa.disk.model}?)?(\|serial=%{NOT_SEPARATOR:santa.disk.serial}?)?(\|bus=%{NOT_SEPARATOR:santa.disk.bus}?)?(\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?)?(\|appearance=%{TIMESTAMP_ISO8601:santa.disk.appearance})?' + pattern_definitions: + NOT_SEPARATOR: '[^\|]+' + - set: + field: process.entity_id + value: "{{{process.pid}}}-{{{santa.pidversion}}}" + if: "ctx.process?.pid != null && ctx.santa?.pidversion != null" + - set: + field: process.entity_id + value: "{{{agent.id}}}-{{{process.entity_id}}}" + if: "ctx.agent?.id != null && ctx.process?.entity_id != null" + - date: + field: process.start + target_field: process.start + formats: + - ISO8601 + ignore_failure: true + - set: + field: '@timestamp' + value: '{{ process.start }}' + ignore_failure: true + ignore_empty_value: true + - split: + field: santa.args + separator: ' ' + ignore_failure: true + - date: + field: timestamp + target_field: '@timestamp' + formats: + - ISO8601 + ignore_failure: true + - remove: + field: timestamp + ignore_missing: true + - append: + field: process.args + value: "{{process.executable}}" + if: "ctx?.process?.executable != null" + - foreach: + field: santa.args + processor: + append: + field: process.args + value: "{{_ingest._value}}" + ignore_missing: true + - remove: + field: santa.args + ignore_missing: true + - set: + field: event.kind + value: event + - append: + field: event.category + value: process + if: "ctx?.santa?.action == 'EXEC'" + - append: + field: event.type + value: start + if: "ctx?.santa?.action == 'EXEC'" + - set: + field: event.outcome + value: success + if: "ctx?.santa?.decision == 'ALLOW'" + - set: + field: event.outcome + value: failure + if: "ctx?.santa?.decision == 'DENY'" + - set: + field: event.action + value: "{{santa.action}}" + ignore_empty_value: true + - lowercase: + field: event.action + ignore_missing: true + - append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" + - append: + field: related.hash + value: "{{santa.certificate.sha256}}" + if: "ctx?.santa?.certificate?.sha256 != null" + - append: + field: related.hash + value: "{{process.hash.sha256}}" + if: "ctx?.process?.hash != null" + - set: + field: file.x509.issuer.common_name + value: "{{santa.certificate.common_name}}" + ignore_empty_value: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/santa/3.1.0/data_stream/log/fields/agent.yml b/packages/santa/3.1.0/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/santa/3.1.0/data_stream/log/fields/base-fields.yml b/packages/santa/3.1.0/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..321b0c89c6 --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: santa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: santa.log +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/santa/3.1.0/data_stream/log/fields/ecs.yml b/packages/santa/3.1.0/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..716c611946 --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/fields/ecs.yml @@ -0,0 +1,103 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Unique identifier of this agent (if one exists). + Example: For Beats this would be beat.id. + name: agent.id + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: Target path for symlinks. + multi_fields: + - name: text + type: match_only_text + name: file.target_path + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: file.x509.issuer.common_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: The time the process started. + name: process.start + type: date +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/santa/3.1.0/data_stream/log/fields/package-fields.yml b/packages/santa/3.1.0/data_stream/log/fields/package-fields.yml new file mode 100755 index 0000000000..e53706fbcc --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/fields/package-fields.yml @@ -0,0 +1,54 @@ +- name: santa + type: group + fields: + - name: action + type: keyword + description: Action + - name: decision + type: keyword + description: Decision that santad took. + - name: reason + type: keyword + description: Reason for the decision. + - name: explain + type: keyword + description: Further details for the decision. + - name: mode + type: keyword + description: Operating mode of Santa. + - name: disk + type: group + fields: + - name: volume + type: keyword + description: The volume name. + - name: bus + type: keyword + description: The disk bus protocol. + - name: serial + type: keyword + description: The disk serial number. + - name: bsdname + type: keyword + description: The disk BSD name. + - name: model + type: keyword + description: The disk model. + - name: fs + type: keyword + description: The disk volume kind (filesystem type). + - name: mount + type: keyword + description: The disk volume path. + - name: appearance + type: date + description: Timestamp for volume operation. + - name: certificate.common_name + type: keyword + description: Common name from code signing certificate. + - name: certificate.sha256 + type: keyword + description: SHA256 hash of code signing certificate. + - name: pidversion + type: long + description: macOS process identity version. diff --git a/packages/santa/3.1.0/data_stream/log/manifest.yml b/packages/santa/3.1.0/data_stream/log/manifest.yml new file mode 100755 index 0000000000..77d82dcf3a --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/manifest.yml @@ -0,0 +1,41 @@ +type: logs +title: Google Santa log logs +streams: + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/db/santa/santa.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - santa-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Google Santa logs + description: Collect Google Santa logs using log input diff --git a/packages/santa/3.1.0/data_stream/log/sample_event.json b/packages/santa/3.1.0/data_stream/log/sample_event.json new file mode 100755 index 0000000000..b3dcbaecd4 --- /dev/null +++ b/packages/santa/3.1.0/data_stream/log/sample_event.json @@ -0,0 +1,98 @@ +{ + "@timestamp": "2022-05-12T11:30:05.248Z", + "agent": { + "ephemeral_id": "ea9b3ab9-896a-456a-8e87-7a6452edad19", + "id": "2c596a05-d358-406e-924c-bf221088f43c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "data_stream": { + "dataset": "santa.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2c596a05-d358-406e-924c-bf221088f43c", + "snapshot": true, + "version": "8.2.1" + }, + "event": { + "action": "link", + "agent_id_status": "verified", + "dataset": "santa.log", + "ingested": "2022-05-18T03:34:40Z", + "kind": "event" + }, + "file": { + "path": "/private/var/db/santa/santa.log", + "target_path": "/private/var/db/santa/santa.log.0" + }, + "group": { + "id": "0", + "name": "wheel" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.160.7" + ], + "mac": [ + "02:42:c0:a8:a0:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/santa.log" + }, + "level": "I", + "offset": 1150 + }, + "process": { + "args": [ + "/usr/sbin/newsyslog" + ], + "entity_id": "2c596a05-d358-406e-924c-bf221088f43c-71559-1096716", + "executable": "/usr/sbin/newsyslog", + "name": "newsyslog", + "parent": { + "pid": 1 + }, + "pid": 71559, + "start": "2022-05-12T11:30:05.248Z" + }, + "related": { + "user": [ + "root" + ] + }, + "santa": { + "action": "LINK", + "pidversion": 1096716 + }, + "tags": [ + "santa-log" + ], + "user": { + "id": "0", + "name": "root" + } +} \ No newline at end of file diff --git a/packages/santa/3.1.0/docs/README.md b/packages/santa/3.1.0/docs/README.md new file mode 100755 index 0000000000..2e9a94e4b2 --- /dev/null +++ b/packages/santa/3.1.0/docs/README.md @@ -0,0 +1,209 @@ +# Google Santa Integration + +The Google Santa integration collects and parses logs from [Google Santa](https://github.com/google/santa), a security tool for macOS that monitors process executions and can blacklist/whitelist +binaries. + +## Compatibility + +The Google Santa integration was tested with logs from Santa 2022.4. + +**Google Santa is available for MacOS only.** + +The integration is by default configured to read logs from `/var/db/santa/santa.log`. + +## Logs + +### Google Santa log + +This is the Google Santa `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-05-12T11:30:05.248Z", + "agent": { + "ephemeral_id": "ea9b3ab9-896a-456a-8e87-7a6452edad19", + "id": "2c596a05-d358-406e-924c-bf221088f43c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "data_stream": { + "dataset": "santa.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "2c596a05-d358-406e-924c-bf221088f43c", + "snapshot": true, + "version": "8.2.1" + }, + "event": { + "action": "link", + "agent_id_status": "verified", + "dataset": "santa.log", + "ingested": "2022-05-18T03:34:40Z", + "kind": "event" + }, + "file": { + "path": "/private/var/db/santa/santa.log", + "target_path": "/private/var/db/santa/santa.log.0" + }, + "group": { + "id": "0", + "name": "wheel" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.160.7" + ], + "mac": [ + "02:42:c0:a8:a0:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/santa.log" + }, + "level": "I", + "offset": 1150 + }, + "process": { + "args": [ + "/usr/sbin/newsyslog" + ], + "entity_id": "2c596a05-d358-406e-924c-bf221088f43c-71559-1096716", + "executable": "/usr/sbin/newsyslog", + "name": "newsyslog", + "parent": { + "pid": 1 + }, + "pid": 71559, + "start": "2022-05-12T11:30:05.248Z" + }, + "related": { + "user": [ + "root" + ] + }, + "santa": { + "action": "LINK", + "pidversion": 1096716 + }, + "tags": [ + "santa-log" + ], + "user": { + "id": "0", + "name": "root" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Log offset | long | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| santa.action | Action | keyword | +| santa.certificate.common_name | Common name from code signing certificate. | keyword | +| santa.certificate.sha256 | SHA256 hash of code signing certificate. | keyword | +| santa.decision | Decision that santad took. | keyword | +| santa.disk.appearance | Timestamp for volume operation. | date | +| santa.disk.bsdname | The disk BSD name. | keyword | +| santa.disk.bus | The disk bus protocol. | keyword | +| santa.disk.fs | The disk volume kind (filesystem type). | keyword | +| santa.disk.model | The disk model. | keyword | +| santa.disk.mount | The disk volume path. | keyword | +| santa.disk.serial | The disk serial number. | keyword | +| santa.disk.volume | The volume name. | keyword | +| santa.explain | Further details for the decision. | keyword | +| santa.mode | Operating mode of Santa. | keyword | +| santa.pidversion | macOS process identity version. | long | +| santa.reason | Reason for the decision. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/santa/3.1.0/img/icon.svg b/packages/santa/3.1.0/img/icon.svg new file mode 100755 index 0000000000..6d4519d5bb --- /dev/null +++ b/packages/santa/3.1.0/img/icon.svg @@ -0,0 +1,281 @@ + + + + diff --git a/packages/santa/3.1.0/img/kibana-santa-log-overview.png b/packages/santa/3.1.0/img/kibana-santa-log-overview.png new file mode 100755 index 0000000000..31abdeb270 Binary files /dev/null and b/packages/santa/3.1.0/img/kibana-santa-log-overview.png differ diff --git a/packages/santa/3.1.0/kibana/dashboard/santa-161855f0-ff6a-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/dashboard/santa-161855f0-ff6a-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..b828312f45 --- /dev/null +++ b/packages/santa/3.1.0/kibana/dashboard/santa-161855f0-ff6a-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "description": "Process executions on macOS monitored by Google Santa.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:santa.log\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"3\",\"w\":10,\"x\":8,\"y\":12},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":12,\"x\":36,\"y\":12},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"5\",\"w\":8,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"6\",\"w\":18,\"x\":18,\"y\":12},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-alpha1-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs Santa] Overview", + "version": 1 + }, + "id": "santa-161855f0-ff6a-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "santa-dad521d0-ff69-11e8-93c5-d5ecd1b3e307", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "santa-1579d690-ff6b-11e8-93c5-d5ecd1b3e307", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "santa-51677b80-ff6b-11e8-93c5-d5ecd1b3e307", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "santa-30962fe0-ff6c-11e8-93c5-d5ecd1b3e307", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "santa-b06c0460-ff6c-11e8-93c5-d5ecd1b3e307", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "santa-11858000-ff6d-11e8-93c5-d5ecd1b3e307", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307", + "name": "panel_6", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/kibana/search/santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/search/santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..ac4336723d --- /dev/null +++ b/packages/santa/3.1.0/kibana/search/santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "process.executable", + "user.name", + "santa.certificate.common_name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Santa Logs Search [Logs Santa]", + "version": 1 + }, + "id": "santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/kibana/visualization/santa-11858000-ff6d-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/visualization/santa-11858000-ff6d-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..51836c8fbf --- /dev/null +++ b/packages/santa/3.1.0/kibana/visualization/santa-11858000-ff6d-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Code Signers [Logs Santa]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"santa.certificate.common_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":39,\"minFontSize\":12,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Code Signers [Logs Santa]\",\"type\":\"tagcloud\"}" + }, + "id": "santa-11858000-ff6d-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/kibana/visualization/santa-1579d690-ff6b-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/visualization/santa-1579d690-ff6b-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..244cd3e35b --- /dev/null +++ b/packages/santa/3.1.0/kibana/visualization/santa-1579d690-ff6b-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,21 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Decisions [Logs Santa]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:santa.log)\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Decision\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"santa.decision\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Decisions [Logs Santa]\",\"type\":\"metrics\"}" + }, + "id": "santa-1579d690-ff6b-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/kibana/visualization/santa-30962fe0-ff6c-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/visualization/santa-30962fe0-ff6c-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..aa90c1e00c --- /dev/null +++ b/packages/santa/3.1.0/kibana/visualization/santa-30962fe0-ff6c-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Decision and Reason [Logs Santa]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"ALLOW\":\"#7EB26D\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Decision\",\"field\":\"santa.decision\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Reason\",\"field\":\"santa.reason\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Decision and Reason [Logs Santa]\",\"type\":\"pie\"}" + }, + "id": "santa-30962fe0-ff6c-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/kibana/visualization/santa-51677b80-ff6b-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/visualization/santa-51677b80-ff6b-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..e229c53c45 --- /dev/null +++ b/packages/santa/3.1.0/kibana/visualization/santa-51677b80-ff6b-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Total Events [Logs Santa]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Events [Logs Santa]\",\"type\":\"metric\"}" + }, + "id": "santa-51677b80-ff6b-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/kibana/visualization/santa-b06c0460-ff6c-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/visualization/santa-b06c0460-ff6c-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..5ff498a9ad --- /dev/null +++ b/packages/santa/3.1.0/kibana/visualization/santa-b06c0460-ff6c-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,28 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Num of Hosts Reporting [Logs Santa]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Hosts Reporting\",\"field\":\"agent.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Num of Hosts Reporting [Logs Santa]\",\"type\":\"metric\"}" + }, + "id": "santa-b06c0460-ff6c-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "santa-6d56a010-ff6a-11e8-93c5-d5ecd1b3e307", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/kibana/visualization/santa-dad521d0-ff69-11e8-93c5-d5ecd1b3e307.json b/packages/santa/3.1.0/kibana/visualization/santa-dad521d0-ff69-11e8-93c5-d5ecd1b3e307.json new file mode 100755 index 0000000000..eb7d2ddfdc --- /dev/null +++ b/packages/santa/3.1.0/kibana/visualization/santa-dad521d0-ff69-11e8-93c5-d5ecd1b3e307.json @@ -0,0 +1,21 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Description [Logs Santa]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"![Santa Icon](https://raw.githubusercontent.com/google/santa/main/Source/santa/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png)\\n\\nGoogle Santa is a binary whitelisting/blacklisting system for macOS that monitors process executions.\",\"openLinksInNewTab\":false},\"title\":\"Description [Logs Santa]\",\"type\":\"markdown\"}" + }, + "id": "santa-dad521d0-ff69-11e8-93c5-d5ecd1b3e307", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/santa/3.1.0/manifest.yml b/packages/santa/3.1.0/manifest.yml new file mode 100755 index 0000000000..94e2bdd37d --- /dev/null +++ b/packages/santa/3.1.0/manifest.yml @@ -0,0 +1,32 @@ +name: santa +title: Google Santa Logs +version: 3.1.0 +release: ga +description: Collect and parse logs from Google Santa instances with Elastic Agent. +type: integration +icons: + - src: /img/icon.svg + title: Google Santa + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: + - security + - os_system +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/kibana-santa-log-overview.png + title: kibana santa log overview + size: 2912x2024 + type: image/png +policy_templates: + - name: santa + title: Google Santa logs + description: Collect logs from Google Santa instances + inputs: + - type: logfile + title: "Collect Google Santa application logs (input: logfile)" + description: "Collecting application logs from Google Santa instances (input: logfile)" +owner: + github: elastic/security-external-integrations diff --git a/packages/snort/0.3.1/changelog.yml b/packages/snort/0.3.1/changelog.yml new file mode 100755 index 0000000000..7501529198 --- /dev/null +++ b/packages/snort/0.3.1/changelog.yml @@ -0,0 +1,56 @@ +# newer versions go on top +- version: "0.3.1" + changes: + - description: Format source.mac and destination.mac as per ECS and add missing mappings for various event.* fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/3301 +- version: "0.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "0.2.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.2.1" + changes: + - description: Fix test data + type: bugfix + link: https://github.com/elastic/integrations/pull/2914 +- version: "0.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2438 +- version: "0.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2261 +- version: "0.0.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1985 +- version: "0.0.2" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1849 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/XXX diff --git a/packages/snort/0.3.1/data_stream/log/agent/stream/log.yml.hbs b/packages/snort/0.3.1/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..4e6ae04aac --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,37 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +{{#if multiline_full}} +multiline: + type: pattern + pattern: '^\[\*\*\]' + negate: true + match: after +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ +{{#if internal_networks.length}} +- add_fields: + target: _tmp + fields: + tz_offset: {{tz_offset}} + internal_networks: + {{#each internal_networks as |ntwrk i|}} + - {{ntwrk}} + {{/each}} +{{/if}} \ No newline at end of file diff --git a/packages/snort/0.3.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/snort/0.3.1/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..526e65f09d --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ +{{#if internal_networks.length}} +- add_fields: + target: _tmp + fields: + tz_offset: {{tz_offset}} + internal_networks: + {{#each internal_networks as |ntwrk i|}} + - {{ntwrk}} + {{/each}} +{{/if}} \ No newline at end of file diff --git a/packages/snort/0.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/snort/0.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..b7afa7bdf6 --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,222 @@ +--- +description: Pipeline for parsing Snort logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + - set: + field: observer.vendor + value: snort + - set: + field: observer.product + value: ids + - set: + field: observer.type + value: ids + - grok: + field: event.original + patterns: + # Syslog + - '^(%{ECS_SYSLOG_PRI})?%{SYSLOGTIMESTAMP:_tmp.timestamp} (?:%{SYSLOGFACILITY} )?%{OBSERVER} %{SYSLOGPROG}:%{HEADER}%{FAST_BODY}' + # PFsense CSV + - '%{CSV_START},%{NONNEGINT:snort.ip.id:long},(%{DATA:rule.category}|),%{NONNEGINT:event.severity:long},%{WORD},%{WORD:_tmp.action}' + # Alert CSV (Default) + - '%{CSV_START},(%{MAC:source.mac}|),(%{MAC:destination.mac}|),(%{DATA:snort.eth.length}|),(%{DATA:snort.tcp.flags}|),(%{BASE16NUM:snort.tcp.seq}|),(%{BASE16NUM:snort.tcp.ack}|),(|%{DATA:snort.tcp.length}),(%{BASE16NUM:snort.tcp.window}|),(%{NONNEGINT:snort.ip.ttl:long}|),(%{NONNEGINT:snort.ip.tos:long}|),(%{NONNEGINT:snort.ip.id:long}|),(%{NONNEGINT:snort.dgm.length:long}|),(%{NONNEGINT:snort.ip.length:long}|),(%{NONNEGINT:snort.icmp.type:long}|),(%{NONNEGINT:snort.icmp.code:long}|),(%{NONNEGINT:snort.icmp.id:long}|),(%{NONNEGINT:snort.icmp.seq:long}|)' + # Snort Alert Fast + - '%{SNORT_DATE:_tmp.timestamp}%{SPACE}%{FAST_HEADER}%{FAST_BODY}' + # Snort Alert Full (Multiline) + - '%{FAST_HEADER}\n(%{CLASSIFICATION} )?%{PRIORITY} \n%{SNORT_DATE:_tmp.timestamp} %{IP:source.address}(:%{POSINT:source.port:long}|) -> %{IP:destination.address}(:%{POSINT:destination.port:long}|)\n%{WORD:network.transport} (TTL:%{NONNEGINT:snort.ip.ttl:long}|) (TOS:%{BASE16NUM:snort.ip.tos}|) (ID:%{NONNEGINT:snort.ip.id:long}|) (IpLen:%{NONNEGINT:snort.ip.length:long}|) (DgmLen:%{NONNEGINT:snort.dgm.length:long}|)(%{SPACE}%{NOTSPACE:snort.ip.flags})?\n(%{UDP_DATA}|%{ICMP_DATA}|%{TCP_DATA})' + pattern_definitions: + SNORT_DATE: '%{MONTHNUM}/%{MONTHDAY}(/%{YEAR})?-%{TIME}' + SEP: '(\[\*\*\])' + CSV_START: '%{SNORT_DATE:_tmp.timestamp}(%{SPACE})?,%{NONNEGINT:snort.gid:long},%{NONNEGINT:rule.id},%{NONNEGINT:rule.version},("?%{DATA:rule.description}"?|),%{WORD:network.transport},%{IP:source.address},(%{POSINT:source.port:long}|),%{IP:destination.address},(%{POSINT:destination.port:long}|)' + HEADER: '%{SPACE}\[%{NONNEGINT:snort.gid:long}:%{NONNEGINT:rule.id}:%{NONNEGINT:rule.version}\]%{SPACE}%{DATA:rule.description}%{SPACE}' + FAST_HEADER: '%{SEP}%{HEADER}%{SEP}' + FAST_BODY: '%{SPACE}%{CLASSIFICATION} %{PRIORITY} \{%{WORD:network.transport}\} %{IP:source.address}(:%{POSINT:source.port:long}|) -> %{IP:destination.address}(:%{POSINT:destination.port:long}|)' + TCP_DATA: '(%{NOTSPACE:snort.tcp.flags}|)%{SPACE}(Seq: %{BASE16NUM:snort.tcp.seq}|)%{SPACE}(Ack: %{BASE16NUM:snort.tcp.ack}|)%{SPACE}(Win: %{BASE16NUM:snort.tcp.window}|)%{SPACE}(TcpLen: %{NONNEGINT:snort.tcp.length:long}|)' + UDP_DATA: '(Len: %{NONNEGINT:snort.udp.length:long})' + ICMP_DATA: '(Type:%{NONNEGINT:snort.icmp.type:long}|)%{SPACE}(Code:%{NONNEGINT:snort.icmp.code:long}|)%{SPACE}(ID:%{NONNEGINT:snort.icmp.id:long}|)%{SPACE}(Seq:%{NONNEGINT:snort.icmp.seq:long}|)%{GREEDYDATA}' + CLASSIFICATION: '(\[Classification: %{DATA:rule.category}\])?' + PRIORITY: '\[Priority: %{NONNEGINT:event.severity:long}\]' + OBSERVER: '(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})' + ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOGPROG: '%{PROG:process.name}(?:\[%{POSINT:process.pid:int}\])?' + - set: + field: event.timezone + value: "{{_tmp.tz_offset}}" + if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' + - date: + field: _tmp.timestamp + target_field: '@timestamp' + timezone: "{{ event.timezone }}" + formats: + - MM/dd-HH:mm:ss.SSSSSS + - MM/dd/YY-HH:mm:ss.SSSSSS + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + if: ctx.event?.timezone != null + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - MM/dd-HH:mm:ss.SSSSSS + - MM/dd/YY-HH:mm:ss.SSSSSS + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + if: ctx.event?.timezone == null + - set: + field: event.created + copy_from: '@timestamp' + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_missing: true + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + - gsub: + field: destination.mac + pattern: '[.:]' + replacement: '-' + ignore_missing: true + - gsub: + field: source.mac + pattern: '[.:]' + replacement: '-' + ignore_missing: true + - lowercase: + field: network.transport + ignore_missing: true + - set: + field: event.kind + value: alert + - append: + field: event.category + value: network + allow_duplicates: false + - set: + field: network.direction + value: unknown + if: ctx.network?.direction == null + - set: + field: network.type + value: ipv4 + if: ctx.source?.ip != null && ctx.source?.ip.contains(".") + - set: + field: network.type + value: ipv6 + if: ctx.source?.ip != null && !ctx.source?.ip.contains(".") + - network_direction: + internal_networks_field: _tmp.internal_networks + - community_id: + ignore_failure: true + ignore_missing: true + - script: + lang: painless + source: >- + if (ctx.snort?.ip?.tos != null && ctx.snort?.ip?.tos instanceof String) { + ctx.snort.ip.tos = Long.decode(ctx.snort.ip.tos); + } + if (ctx.snort?.eth?.length != null && ctx.snort?.eth?.length instanceof String) { + ctx.snort.eth.length = Long.decode(ctx.snort.eth.length); + } + if (ctx.snort?.tcp?.ack != null && ctx.snort?.tcp?.ack instanceof String) { + ctx.snort.tcp.ack = Long.decode(ctx.snort.tcp.ack); + } + if (ctx.snort?.tcp?.seq != null && ctx.snort?.tcp?.seq instanceof String) { + ctx.snort.tcp.seq = Long.decode(ctx.snort.tcp.seq); + } + if (ctx.snort?.tcp?.window != null && ctx.snort?.tcp?.window instanceof String) { + ctx.snort.tcp.window = Long.decode(ctx.snort.tcp.window); + } + - gsub: + field: snort.tcp.flags + pattern: \* + replacement: '' + ignore_missing: true + - append: + field: event.type + value: allowed + if: ctx._tmp?.action == 'Allow' + - append: + field: event.type + value: denied + if: ctx._tmp?.action == 'Block' + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + if: ctx.source?.ip != null + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + - append: + if: ctx.destination?.ip != null + field: related.ip + value: '{{destination.ip}}' + allow_duplicates: false + - remove: + field: + - _tmp + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/snort/0.3.1/data_stream/log/fields/agent.yml b/packages/snort/0.3.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..befedc3a20 --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/fields/agent.yml @@ -0,0 +1,176 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/snort/0.3.1/data_stream/log/fields/base-fields.yml b/packages/snort/0.3.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..5dd131e563 --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,29 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: snort +- name: event.dataset + type: constant_keyword + description: Event dataset + value: snort.log +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + type: long + description: Log offset +- name: input.type + type: keyword + description: Input type diff --git a/packages/snort/0.3.1/data_stream/log/fields/ecs.yml b/packages/snort/0.3.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..9173b1b6da --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,274 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: The version / revision of the rule being used for analysis. + name: rule.version + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/snort/0.3.1/data_stream/log/fields/fields.yml b/packages/snort/0.3.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..f06cbb5c5f --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/fields/fields.yml @@ -0,0 +1,85 @@ +- name: snort.gid + type: long + description: > + The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires.dd + +- name: snort.eth.length + type: long + description: > + Length of the Ethernet header and payload. + +- name: snort.dgm.length + type: long + description: "Length of \n" +- name: snort.ip + type: group + fields: + - name: tos + type: long + description: | + IP Type of Service identification. + - name: ttl + type: long + description: | + Time To Live (TTL) of the packet + - name: id + type: long + description: | + ID of the packet + - name: flags + type: keyword + description: | + IP flags. + - name: length + type: long + description: | + Length of the IP header and payload. +- name: snort.tcp + type: group + fields: + - name: flags + type: keyword + description: | + TCP flags. + - name: seq + type: long + description: | + TCP sequence number. + - name: ack + type: long + description: | + TCP Acknowledgment number. + - name: window + type: long + description: | + Advertised TCP window size. + - name: length + type: long + description: | + Length of the TCP header and payload. +- name: snort.udp + type: group + fields: + - name: length + type: long + description: | + Length of the UDP header and payload. +- name: snort.icmp + type: group + fields: + - name: type + type: long + description: | + ICMP type. + - name: id + type: long + description: | + ID of the echo request/reply + - name: seq + type: long + description: | + ICMP sequence number. + - name: code + type: long + description: |- + ICMP code. diff --git a/packages/snort/0.3.1/data_stream/log/manifest.yml b/packages/snort/0.3.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..01f5928d72 --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/manifest.yml @@ -0,0 +1,131 @@ +type: logs +title: Snort +streams: + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/snort/alert.log + - name: multiline_full + required: true + show_user: true + title: Multi-line Alert Full logs + description: Enables multiline support if reading the Snort Alert Full log fomat + type: bool + multi: false + default: false + - name: internal_networks + type: text + title: Internal Networks + multi: true + required: false + show_user: true + default: + - private + description: The internal IP subnet(s) of the network. + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - snort.log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Snort logs (Logfile) + description: Collect Snort logs using logfile input + - input: udp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: text + title: Syslog Port + multi: false + required: true + show_user: true + default: 9514 + - name: internal_networks + type: text + title: Internal Networks + multi: true + required: false + show_user: true + default: + - private + description: The internal IP subnet(s) of the network. + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - snort.log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: Snort logs (udp) + description: Collect Snort logs using udp input diff --git a/packages/snort/0.3.1/data_stream/log/sample_event.json b/packages/snort/0.3.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..e2add115da --- /dev/null +++ b/packages/snort/0.3.1/data_stream/log/sample_event.json @@ -0,0 +1,99 @@ +{ + "@timestamp": "2022-09-05T16:02:55.000-05:00", + "agent": { + "ephemeral_id": "3ada3cc1-9563-4aa5-880e-585d87fc6adf", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "snort.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "175.16.199.1", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-09-05T16:02:55.000-05:00", + "dataset": "snort.log", + "ingested": "2022-05-09T16:00:09Z", + "kind": "alert", + "original": "Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -\u003e 175.16.199.1", + "severity": 3, + "timezone": "-05:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.4:54924" + } + }, + "network": { + "community_id": "1:AwywM3uuS+luH6U/hUKtj2x2LWU=", + "direction": "outbound", + "transport": "icmp", + "type": "ipv4" + }, + "observer": { + "name": "dev", + "product": "ids", + "type": "ids", + "vendor": "snort" + }, + "process": { + "name": "snort" + }, + "related": { + "ip": [ + "10.50.10.88", + "175.16.199.1" + ] + }, + "rule": { + "category": "Misc activity", + "description": "Pinging...", + "id": "1000015", + "version": "0" + }, + "snort": { + "gid": 1 + }, + "source": { + "address": "10.50.10.88", + "ip": "10.50.10.88" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "snort.log" + ] +} \ No newline at end of file diff --git a/packages/snort/0.3.1/docs/README.md b/packages/snort/0.3.1/docs/README.md new file mode 100755 index 0000000000..b72798fbb8 --- /dev/null +++ b/packages/snort/0.3.1/docs/README.md @@ -0,0 +1,243 @@ +# Snort Integration + +This integration is for [Snort](https://www.snort.org/). + +## Compatibility + +This module has been developed against Snort v2.9, but is expected to work +with other versions of Snort. This package is designed to read from the PFsense CSV output +and the Alert Fast output either via reading a local logfile or receiving messages via syslog + +## Log + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-09-05T16:02:55.000-05:00", + "agent": { + "ephemeral_id": "3ada3cc1-9563-4aa5-880e-585d87fc6adf", + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "snort.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "175.16.199.1", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-09-05T16:02:55.000-05:00", + "dataset": "snort.log", + "ingested": "2022-05-09T16:00:09Z", + "kind": "alert", + "original": "Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -\u003e 175.16.199.1", + "severity": 3, + "timezone": "-05:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.4:54924" + } + }, + "network": { + "community_id": "1:AwywM3uuS+luH6U/hUKtj2x2LWU=", + "direction": "outbound", + "transport": "icmp", + "type": "ipv4" + }, + "observer": { + "name": "dev", + "product": "ids", + "type": "ids", + "vendor": "snort" + }, + "process": { + "name": "snort" + }, + "related": { + "ip": [ + "10.50.10.88", + "175.16.199.1" + ] + }, + "rule": { + "category": "Misc activity", + "description": "Pinging...", + "id": "1000015", + "version": "0" + }, + "snort": { + "gid": 1 + }, + "source": { + "address": "10.50.10.88", + "ip": "10.50.10.88" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "snort.log" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.ip | All of the IPs seen on your event. | ip | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.version | The version / revision of the rule being used for analysis. | keyword | +| snort.dgm.length | Length of | long | +| snort.eth.length | Length of the Ethernet header and payload. | long | +| snort.gid | The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires.dd | long | +| snort.icmp.code | ICMP code. | long | +| snort.icmp.id | ID of the echo request/reply | long | +| snort.icmp.seq | ICMP sequence number. | long | +| snort.icmp.type | ICMP type. | long | +| snort.ip.flags | IP flags. | keyword | +| snort.ip.id | ID of the packet | long | +| snort.ip.length | Length of the IP header and payload. | long | +| snort.ip.tos | IP Type of Service identification. | long | +| snort.ip.ttl | Time To Live (TTL) of the packet | long | +| snort.tcp.ack | TCP Acknowledgment number. | long | +| snort.tcp.flags | TCP flags. | keyword | +| snort.tcp.length | Length of the TCP header and payload. | long | +| snort.tcp.seq | TCP sequence number. | long | +| snort.tcp.window | Advertised TCP window size. | long | +| snort.udp.length | Length of the UDP header and payload. | long | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + diff --git a/packages/snort/0.3.1/img/snort.svg b/packages/snort/0.3.1/img/snort.svg new file mode 100755 index 0000000000..53f7782374 --- /dev/null +++ b/packages/snort/0.3.1/img/snort.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/snort/0.3.1/manifest.yml b/packages/snort/0.3.1/manifest.yml new file mode 100755 index 0000000000..d1e61c02cf --- /dev/null +++ b/packages/snort/0.3.1/manifest.yml @@ -0,0 +1,29 @@ +name: snort +title: Snort +version: "0.3.1" +release: experimental +description: Collect logs from Snort with Elastic Agent. +type: integration +icons: + - src: /img/snort.svg + title: snort + size: 120x60 + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: [network, security] +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +policy_templates: + - name: snort + title: Snort logs + description: Collect logs from Snort instances + inputs: + - type: logfile + title: "Collect Snort logs (input: logfile)" + description: "Collecting logs from Snort instances (input: logfile)" + - type: udp + title: "Collect Snort logs (input: udp)" + description: "Collecting logs from Snort instances (input: udp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/sonicwall/0.8.1/changelog.yml b/packages/sonicwall/0.8.1/changelog.yml new file mode 100755 index 0000000000..bca15bd94e --- /dev/null +++ b/packages/sonicwall/0.8.1/changelog.yml @@ -0,0 +1,106 @@ +# newer versions go on top +- version: "0.8.1" + changes: + - description: Format source.mac and destination.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3360 +- version: "0.8.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "0.7.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.7.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2595 +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.6.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2248 +- version: "0.5.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2087 +- version: "0.5.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1986 +- version: "0.5.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.5.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1850 +- version: "0.5.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1677 +- version: '0.4.4' + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.4.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1503 +- version: '0.4.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1417 +- version: "0.4.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1274 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1101 +- version: "0.1.5" + changes: + - description: Add missing "geo" fields + type: enhancement + link: https://github.com/elastic/integrations/pull/919 +- version: "0.1.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/869 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/stream.yml.hbs b/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..180ea60135 --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/stream.yml.hbs @@ -0,0 +1,9739 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + + var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup12 = setc("eventcategory","1502010000"); + + var dup13 = setc("eventcategory","1502020000"); + + var dup14 = setc("eventcategory","1002010000"); + + var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var dup18 = setf("hostip","hhostip"); + + var dup19 = setf("id","hid"); + + var dup20 = setf("serial_number","hserial_number"); + + var dup21 = setf("category","hcategory"); + + var dup22 = setf("severity","hseverity"); + + var dup23 = setc("eventcategory","1805010000"); + + var dup24 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], + }); + + var dup25 = setc("eventcategory","1302000000"); + + var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var dup30 = setc("eventcategory","1401050100"); + + var dup31 = setc("eventcategory","1401030000"); + + var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var dup33 = setc("eventcategory","1301020000"); + + var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var dup44 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var dup59 = setc("ec_subject","NetworkComm"); + + var dup60 = setc("ec_activity","Deny"); + + var dup61 = setc("ec_theme","Communication"); + + var dup62 = setf("msg","$MSG"); + + var dup63 = setc("action","dropped"); + + var dup64 = setc("eventcategory","1608010000"); + + var dup65 = setc("eventcategory","1302010000"); + + var dup66 = setc("eventcategory","1301000000"); + + var dup67 = setc("eventcategory","1001000000"); + + var dup68 = setc("eventcategory","1003030000"); + + var dup69 = setc("eventcategory","1003050000"); + + var dup70 = setc("eventcategory","1103000000"); + + var dup71 = setc("eventcategory","1603110000"); + + var dup72 = setc("eventcategory","1605020000"); + + var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup78 = setc("eventcategory","1801000000"); + + var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup88 = setf("id","hfld1"); + + var dup89 = setc("eventcategory","1001020309"); + + var dup90 = setc("eventcategory","1303000000"); + + var dup91 = setc("eventcategory","1801010100"); + + var dup92 = setc("eventcategory","1604010000"); + + var dup93 = setc("eventcategory","1002020000"); + + var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var dup97 = setc("eventcategory","1001010000"); + + var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var dup106 = setc("eventcategory","1401060000"); + + var dup107 = setc("eventcategory","1804000000"); + + var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var dup109 = setc("eventcategory","1401070000"); + + var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var dup111 = setc("eventcategory","1801030000"); + + var dup112 = setc("eventcategory","1402020300"); + + var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var dup116 = setc("eventcategory","1402000000"); + + var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var dup120 = setc("eventcategory","1803020000"); + + var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var dup144 = setc("event_description","Connection Closed"); + + var dup145 = setc("eventcategory","1801020000"); + + var dup146 = setc("ec_activity","Permit"); + + var dup147 = setc("action","allowed"); + + var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var dup156 = setc("eventcategory","1001030500"); + + var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var dup165 = setc("eventcategory","1801010000"); + + var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup170 = setc("eventcategory","1003010000"); + + var dup171 = setc("eventcategory","1609000000"); + + var dup172 = setc("eventcategory","1204000000"); + + var dup173 = setc("eventcategory","1602000000"); + + var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var dup175 = setc("eventcategory","1803000000"); + + var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var dup182 = linear_select([ + dup8, + dup9, + ]); + + var dup183 = linear_select([ + dup15, + dup16, + ]); + + var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup185 = linear_select([ + dup26, + dup27, + ]); + + var dup186 = linear_select([ + dup28, + dup29, + ]); + + var dup187 = linear_select([ + dup35, + dup36, + ]); + + var dup188 = linear_select([ + dup37, + dup38, + ]); + + var dup189 = linear_select([ + dup39, + dup40, + ]); + + var dup190 = linear_select([ + dup26, + dup46, + ]); + + var dup191 = linear_select([ + dup48, + dup49, + ]); + + var dup192 = linear_select([ + dup52, + dup53, + ]); + + var dup193 = linear_select([ + dup55, + dup56, + ]); + + var dup194 = linear_select([ + dup57, + dup58, + ]); + + var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var dup197 = linear_select([ + dup75, + dup76, + ]); + + var dup198 = linear_select([ + dup83, + dup84, + ]); + + var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var dup200 = linear_select([ + dup94, + dup95, + ]); + + var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var dup202 = linear_select([ + dup98, + dup99, + ]); + + var dup203 = linear_select([ + dup86, + dup102, + ]); + + var dup204 = linear_select([ + dup103, + dup104, + ]); + + var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup210 = linear_select([ + dup114, + dup115, + ]); + + var dup211 = linear_select([ + dup117, + dup118, + ]); + + var dup212 = linear_select([ + dup43, + dup42, + ]); + + var dup213 = linear_select([ + dup8, + dup27, + ]); + + var dup214 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var dup215 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var dup216 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var dup217 = linear_select([ + dup127, + dup128, + ]); + + var dup218 = linear_select([ + dup129, + dup130, + ]); + + var dup219 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var dup220 = linear_select([ + dup138, + dup56, + ]); + + var dup221 = linear_select([ + dup140, + dup141, + ]); + + var dup222 = linear_select([ + dup142, + dup143, + ]); + + var dup223 = linear_select([ + dup150, + dup151, + ]); + + var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var dup225 = linear_select([ + dup158, + dup38, + ]); + + var dup226 = linear_select([ + dup160, + dup161, + ]); + + var dup227 = linear_select([ + dup162, + dup163, + ]); + + var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var dup235 = linear_select([ + dup177, + dup178, + ]); + + var dup236 = linear_select([ + dup180, + dup181, + ]); + + var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var dup238 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup239 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var dup240 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup241 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup242 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var dup243 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup244 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var dup245 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var dup246 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var dup247 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var dup248 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var dup249 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var dup250 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup251 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var dup252 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup253 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, + ])); + + var msg1 = msg("4", part1); + + var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, + ])); + + var msg2 = msg("5", part2); + + var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg3 = msg("5:01", part3); + + var select2 = linear_select([ + msg2, + msg3, + ]); + + var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, + ])); + + var msg4 = msg("6", part4); + + var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg5 = msg("6:01", part5); + + var select3 = linear_select([ + msg4, + msg5, + ]); + + var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, + ])); + + var msg6 = msg("7", part6); + + var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, + ])); + + var msg7 = msg("8", part7); + + var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, + ])); + + var msg8 = msg("9", part8); + + var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, + ])); + + var msg9 = msg("10", part9); + + var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, + ])); + + var msg10 = msg("11", part10); + + var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, + ])); + + var msg11 = msg("12", part11); + + var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, + ])); + + var msg12 = msg("12:01", part12); + + var select4 = linear_select([ + msg11, + msg12, + ]); + + var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, + ])); + + var msg13 = msg("13", part13); + + var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); + + var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); + + var select5 = linear_select([ + part14, + part15, + ]); + + var all1 = all_match({ + processors: [ + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), + }); + + var msg14 = msg("14", all1); + + var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); + + var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); + + var select6 = linear_select([ + part16, + part17, + ]); + + var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); + + var all2 = all_match({ + processors: [ + dup7, + dup182, + dup10, + select6, + part18, + ], + on_success: processor_chain([ + dup6, + ]), + }); + + var msg15 = msg("14:01", all2); + + var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg16 = msg("14:02", part19); + + var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg17 = msg("14:03", part20); + + var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg18 = msg("14:04", part21); + + var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg19 = msg("14:05", part22); + + var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + ]); + + var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, + ])); + + var msg20 = msg("15", part23); + + var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, + ])); + + var msg21 = msg("16", part24); + + var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, + ])); + + var msg22 = msg("17", part25); + + var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, + ])); + + var msg23 = msg("18", part26); + + var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, + ])); + + var msg24 = msg("19", part27); + + var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, + ])); + + var msg25 = msg("20", part28); + + var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, + ])); + + var msg26 = msg("21", part29); + + var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, + ])); + + var msg27 = msg("22", part30); + + var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, + ])); + + var msg28 = msg("23", part31); + + var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + + var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + + var select8 = linear_select([ + part33, + part34, + ]); + + var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); + + var all3 = all_match({ + processors: [ + part32, + dup183, + dup17, + select8, + part35, + ], + on_success: processor_chain([ + dup14, + ]), + }); + + var msg29 = msg("23:01", all3); + + var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, + ])); + + var msg30 = msg("23:02", part36); + + var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); + + var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); + + var select9 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + + var all4 = all_match({ + processors: [ + part37, + select9, + part40, + ], + on_success: processor_chain([ + dup14, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg31 = msg("23:03", all4); + + var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, + ]); + + var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, + ])); + + var msg32 = msg("24", part41); + + var msg33 = msg("24:01", dup184); + + var select11 = linear_select([ + msg32, + msg33, + ]); + + var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg34 = msg("25", part42); + + var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg35 = msg("26", part43); + + var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg36 = msg("27", part44); + + var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, + ])); + + var msg37 = msg("28", part45); + + var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, + ])); + + var msg38 = msg("28:01", part46); + + var select12 = linear_select([ + msg37, + msg38, + ]); + + var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, + ])); + + var msg39 = msg("29", part47); + + var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var all5 = all_match({ + processors: [ + part48, + dup185, + dup186, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg40 = msg("29:01", all5); + + var select13 = linear_select([ + msg39, + msg40, + ]); + + var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg41 = msg("30", part49); + + var msg42 = msg("30:01", dup238); + + var select14 = linear_select([ + msg41, + msg42, + ]); + + var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, + ])); + + var msg43 = msg("31", part50); + + var all6 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup25, + ]), + }); + + var msg44 = msg("31:01", all6); + + var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg45 = msg("31:02", part51); + + var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg46 = msg("31:03", part52); + + var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg47 = msg("31:04", part53); + + var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, + ]); + + var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg48 = msg("32", part54); + + var msg49 = msg("32:01", dup238); + + var select16 = linear_select([ + msg48, + msg49, + ]); + + var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup33, + ])); + + var msg50 = msg("33", part55); + + var all7 = all_match({ + processors: [ + dup34, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var msg51 = msg("33:01", all7); + + var select17 = linear_select([ + msg50, + msg51, + ]); + + var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, + ])); + + var msg52 = msg("34", part56); + + var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), + ])); + + var msg53 = msg("35", part57); + + var all8 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), + }); + + var msg54 = msg("35:01", all8); + + var select18 = linear_select([ + msg53, + msg54, + ]); + + var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, + ])); + + var msg55 = msg("36", part58); + + var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + + var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); + + var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var select19 = linear_select([ + part61, + dup42, + dup43, + ]); + + var all9 = all_match({ + processors: [ + part59, + dup188, + part60, + dup189, + dup41, + dup183, + dup17, + select19, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg56 = msg("36:01", all9); + + var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); + + var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); + + var select20 = linear_select([ + part62, + part63, + ]); + + var all10 = all_match({ + processors: [ + dup45, + dup190, + dup17, + dup183, + dup17, + select20, + dup47, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg57 = msg("36:02", all10); + + var select21 = linear_select([ + msg55, + msg56, + msg57, + ]); + + var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg58 = msg("37", part64); + + var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + + var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); + + var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var all11 = all_match({ + processors: [ + part65, + dup188, + part66, + select22, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg59 = msg("37:01", all11); + + var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, + ])); + + var msg60 = msg("37:02", part69); + + var all12 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg61 = msg("37:03", all12); + + var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, + ])); + + var msg62 = msg("37:04", part70); + + var select23 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + ]); + + var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg63 = msg("38", part71); + + var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); + + var select24 = linear_select([ + part72, + dup42, + ]); + + var all13 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup183, + dup17, + select24, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg64 = msg("38:01", all13); + + var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + + var all14 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup192, + part73, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg65 = msg("38:02", all14); + + var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + + var all15 = all_match({ + processors: [ + dup54, + dup193, + part74, + dup194, + part75, + ], + on_success: processor_chain([ + dup5, + dup11, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg66 = msg("38:03", all15); + + var select25 = linear_select([ + msg63, + msg64, + msg65, + msg66, + ]); + + var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg67 = msg("39", part76); + + var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg68 = msg("40", part77); + + var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg69 = msg("41:01", part78); + + var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, + ])); + + var msg70 = msg("41:02", part79); + + var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, + ])); + + var msg71 = msg("41:03", part80); + + var select26 = linear_select([ + msg69, + msg70, + msg71, + ]); + + var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, + ])); + + var msg72 = msg("42", part81); + + var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, + ])); + + var msg73 = msg("43", part82); + + var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, + ])); + + var msg74 = msg("44", part83); + + var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, + ])); + + var msg75 = msg("45", part84); + + var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, + ])); + + var msg76 = msg("45:01", part85); + + var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg77 = msg("45:02", part86); + + var select27 = linear_select([ + msg75, + msg76, + msg77, + ]); + + var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg78 = msg("46:01", part87); + + var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, + ])); + + var msg79 = msg("46:02", part88); + + var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg80 = msg("46", part89); + + var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all16 = all_match({ + processors: [ + part90, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg81 = msg("46:03", all16); + + var select28 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, + ])); + + var msg82 = msg("47", part91); + + var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg83 = msg("48", part92); + + var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, + ])); + + var msg84 = msg("49", part93); + + var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, + ])); + + var msg85 = msg("50", part94); + + var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg86 = msg("51", part95); + + var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, + ])); + + var msg87 = msg("52", part96); + + var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, + ])); + + var msg88 = msg("53", part97); + + var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup64, + ])); + + var msg89 = msg("58", part98); + + var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, + ])); + + var msg90 = msg("60", part99); + + var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, + ])); + + var msg91 = msg("61", part100); + + var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup65, + ])); + + var msg92 = msg("62", part101); + + var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup66, + ])); + + var msg93 = msg("63", part102); + + var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg94 = msg("63:01", part103); + + var select29 = linear_select([ + msg93, + msg94, + ]); + + var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, + ])); + + var msg95 = msg("64", part104); + + var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg96 = msg("65", part105); + + var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg97 = msg("66", part106); + + var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup66, + ])); + + var msg98 = msg("67", part107); + + var all17 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg99 = msg("67:01", all17); + + var select30 = linear_select([ + msg98, + msg99, + ]); + + var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup66, + ])); + + var msg100 = msg("68", part108); + + var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup66, + ])); + + var msg101 = msg("69", part109); + + var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup66, + ])); + + var msg102 = msg("70", part110); + + var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); + + var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); + + var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); + + var select31 = linear_select([ + part112, + part113, + ]); + + var all18 = all_match({ + processors: [ + part111, + select31, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg103 = msg("70:01", all18); + + var select32 = linear_select([ + msg102, + msg103, + ]); + + var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg104 = msg("72", part114); + + var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup67, + ])); + + var msg105 = msg("72:01", part115); + + var select33 = linear_select([ + msg104, + msg105, + ]); + + var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg106 = msg("73", part116); + + var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg107 = msg("74", part117); + + var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg108 = msg("75", part118); + + var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg109 = msg("76", part119); + + var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg110 = msg("77", part120); + + var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg111 = msg("78", part121); + + var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg112 = msg("79", part122); + + var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg113 = msg("80", part123); + + var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg114 = msg("81", part124); + + var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg115 = msg("82", part125); + + var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup70, + ])); + + var msg116 = msg("82:02", part126); + + var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup70, + ])); + + var msg117 = msg("82:03", part127); + + var msg118 = msg("82:01", dup195); + + var select34 = linear_select([ + msg115, + msg116, + msg117, + msg118, + ]); + + var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg119 = msg("83", part128); + + var msg120 = msg("83:01", dup196); + + var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg121 = msg("83:02", part129); + + var select35 = linear_select([ + msg119, + msg120, + msg121, + ]); + + var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + + var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + + var select36 = linear_select([ + part130, + part131, + ]); + + var all19 = all_match({ + processors: [ + select36, + ], + on_success: processor_chain([ + dup71, + setc("action","Failed to resolve name"), + ]), + }); + + var msg122 = msg("84", all19); + + var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup72, + ])); + + var msg123 = msg("87", part132); + + var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup72, + ])); + + var msg124 = msg("87:01", part133); + + var select37 = linear_select([ + msg123, + msg124, + ]); + + var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup66, + ])); + + var msg125 = msg("88", part134); + + var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg126 = msg("88:01", part135); + + var select38 = linear_select([ + msg125, + msg126, + ]); + + var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg127 = msg("89", part136); + + var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); + + var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); + + var select39 = linear_select([ + part137, + part138, + ]); + + var all20 = all_match({ + processors: [ + dup73, + select39, + ], + on_success: processor_chain([ + dup72, + ]), + }); + + var msg128 = msg("89:01", all20); + + var select40 = linear_select([ + msg127, + msg128, + ]); + + var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup72, + ])); + + var msg129 = msg("90", part139); + + var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup72, + ])); + + var msg130 = msg("91", part140); + + var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg131 = msg("92", part141); + + var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, + ])); + + var msg132 = msg("93", part142); + + var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, + ])); + + var msg133 = msg("94", part143); + + var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, + ])); + + var msg134 = msg("95", part144); + + var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, + ])); + + var msg135 = msg("96", part145); + + var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, + ])); + + var msg136 = msg("97", part146); + + var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); + + var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + + var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + + var select41 = linear_select([ + part148, + part149, + ]); + + var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); + + var all21 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part147, + select41, + dup197, + part150, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg137 = msg("97:01", all21); + + var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); + + var all22 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part151, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg138 = msg("97:02", all22); + + var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + + var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all23 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part152, + dup197, + part153, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg139 = msg("97:03", all23); + + var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); + + var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all24 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part154, + dup197, + part155, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg140 = msg("97:04", all24); + + var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + + var all25 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part156, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg141 = msg("97:05", all25); + + var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); + + var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); + + var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); + + var select42 = linear_select([ + part158, + part159, + ]); + + var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all26 = all_match({ + processors: [ + part157, + select42, + part160, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg142 = msg("97:06", all26); + + var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); + + var select43 = linear_select([ + part162, + dup79, + ]); + + var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all27 = all_match({ + processors: [ + part161, + select43, + part163, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg143 = msg("97:07", all27); + + var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg144 = msg("97:08", part164); + + var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg145 = msg("97:09", part165); + + var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg146 = msg("97:10", part166); + + var select44 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); + + var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); + + var select45 = linear_select([ + part168, + part169, + part170, + ]); + + var all28 = all_match({ + processors: [ + dup54, + dup193, + part167, + select45, + ], + on_success: processor_chain([ + dup78, + dup59, + setc("ec_activity","Stop"), + dup61, + dup62, + dup11, + setc("action","Opened"), + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg147 = msg("98", all28); + + var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg148 = msg("98:07", part171); + + var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); + + var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + + var select46 = linear_select([ + part173, + dup56, + ]); + + var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + + var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + + var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + + var select47 = linear_select([ + part175, + part176, + ]); + + var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + + var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + + var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + + var select48 = linear_select([ + part177, + part178, + part179, + ]); + + var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); + + var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); + + var select49 = linear_select([ + dup80, + part181, + part182, + ]); + + var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); + + var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var select50 = linear_select([ + part183, + part184, + part185, + part186, + dup81, + dup43, + ]); + + var all29 = all_match({ + processors: [ + part172, + select46, + part174, + select47, + select48, + part180, + select49, + select50, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg149 = msg("98:01", all29); + + var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); + + var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); + + var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); + + var select51 = linear_select([ + part187, + part188, + part189, + ]); + + var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); + + var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); + + var select52 = linear_select([ + part191, + dup56, + ]); + + var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); + + var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var select53 = linear_select([ + part193, + part194, + dup85, + part195, + ]); + + var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); + + var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + + var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + + var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); + + var select54 = linear_select([ + part197, + part198, + part199, + dup86, + part200, + ]); + + var all30 = all_match({ + processors: [ + dup82, + select51, + part190, + select52, + part192, + dup198, + dup17, + select53, + part196, + select54, + ], + on_success: processor_chain([ + dup78, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg150 = msg("98:06", all30); + + var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + + var all31 = all_match({ + processors: [ + part201, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg151 = msg("98:02", all31); + + var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); + + var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); + + var select55 = linear_select([ + part202, + part203, + ]); + + var all32 = all_match({ + processors: [ + select55, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg152 = msg("98:03", all32); + + var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + + var all33 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part204, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg153 = msg("98:04", all33); + + var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + + var all34 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part205, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg154 = msg("98:05", all34); + + var select56 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + ]); + + var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup31, + dup11, + ])); + + var msg155 = msg("986", part206); + + var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); + + var all35 = all_match({ + processors: [ + dup73, + dup185, + dup183, + part207, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg156 = msg("427", all35); + + var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var all36 = all_match({ + processors: [ + dup87, + dup194, + part208, + ], + on_success: processor_chain([ + dup23, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg157 = msg("428", all36); + + var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg158 = msg("99", part209); + + var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup72, + ])); + + var msg159 = msg("100", part210); + + var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg160 = msg("101", part211); + + var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg161 = msg("102", part212); + + var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg162 = msg("103", part213); + + var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg163 = msg("104", part214); + + var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg164 = msg("105", part215); + + var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup71, + ])); + + var msg165 = msg("106", part216); + + var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup72, + ])); + + var msg166 = msg("107", part217); + + var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup72, + ])); + + var msg167 = msg("108", part218); + + var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup71, + ])); + + var msg168 = msg("109", part219); + + var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup72, + ])); + + var msg169 = msg("110", part220); + + var msg170 = msg("111:01", dup199); + + var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup72, + ])); + + var msg171 = msg("111", part221); + + var select57 = linear_select([ + msg170, + msg171, + ]); + + var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup72, + ])); + + var msg172 = msg("112", part222); + + var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup72, + ])); + + var msg173 = msg("113", part223); + + var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup72, + ])); + + var msg174 = msg("114", part224); + + var msg175 = msg("115:01", dup199); + + var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg176 = msg("115", part225); + + var select58 = linear_select([ + msg175, + msg176, + ]); + + var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg177 = msg("116", part226); + + var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg178 = msg("117", part227); + + var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg179 = msg("118", part228); + + var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup71, + ])); + + var msg180 = msg("119", part229); + + var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup71, + ])); + + var msg181 = msg("120", part230); + + var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup72, + ])); + + var msg182 = msg("121", part231); + + var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup71, + ])); + + var msg183 = msg("122", part232); + + var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup71, + ])); + + var msg184 = msg("123", part233); + + var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup72, + ])); + + var msg185 = msg("124", part234); + + var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup72, + ])); + + var msg186 = msg("125", part235); + + var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg187 = msg("1254", part236); + + var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg188 = msg("1256", part237); + + var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg189 = msg("1257", part238); + + var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup72, + ])); + + var msg190 = msg("126", part239); + + var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup72, + ])); + + var msg191 = msg("127", part240); + + var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, + ])); + + var msg192 = msg("128", part241); + + var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, + ])); + + var msg193 = msg("129", part242); + + var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, + ])); + + var msg194 = msg("130", part243); + + var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, + ])); + + var msg195 = msg("131", part244); + + var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, + ])); + + var msg196 = msg("132", part245); + + var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg197 = msg("133", part246); + + var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg198 = msg("134", part247); + + var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg199 = msg("135", part248); + + var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg200 = msg("136", part249); + + var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, + ])); + + var msg201 = msg("137", part250); + + var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, + ])); + + var msg202 = msg("138", part251); + + var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, + ])); + + var msg203 = msg("139", part252); + + var all37 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), + }); + + var msg204 = msg("139:01", all37); + + var select59 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("140", dup239); + + var msg206 = msg("141", dup239); + + var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg207 = msg("142", part253); + + var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg208 = msg("143", part254); + + var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg209 = msg("1431", part255); + + var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg210 = msg("144", part256); + + var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg211 = msg("145", part257); + + var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup92, + ])); + + var msg212 = msg("146", part258); + + var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup92, + ])); + + var msg213 = msg("147", part259); + + var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, + ])); + + var msg214 = msg("148", part260); + + var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, + ])); + + var msg215 = msg("1480", part261); + + var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, + ])); + + var msg216 = msg("149", part262); + + var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, + ])); + + var msg217 = msg("150", part263); + + var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, + ])); + + var msg218 = msg("151", part264); + + var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, + ])); + + var msg219 = msg("152", part265); + + var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), + ])); + + var msg220 = msg("153", part266); + + var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup64, + ])); + + var msg221 = msg("154", part267); + + var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg222 = msg("155", part268); + + var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg223 = msg("156", part269); + + var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, + ])); + + var msg224 = msg("157:01", part270); + + var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, + ])); + + var msg225 = msg("157", part271); + + var select60 = linear_select([ + msg224, + msg225, + ]); + + var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup92, + ])); + + var msg226 = msg("158", part272); + + var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, + ])); + + var msg227 = msg("159", part273); + + var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), + ])); + + var msg228 = msg("160", part274); + + var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup65, + ])); + + var msg229 = msg("161", part275); + + var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup33, + ])); + + var msg230 = msg("162", part276); + + var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, + ])); + + var msg231 = msg("163", part277); + + var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, + ])); + + var msg232 = msg("164", part278); + + var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, + ])); + + var msg233 = msg("165", part279); + + var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, + ])); + + var msg234 = msg("166", part280); + + var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg235 = msg("167", part281); + + var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg236 = msg("168", part282); + + var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, + ])); + + var msg237 = msg("169", part283); + + var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, + ])); + + var msg238 = msg("170", part284); + + var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup70, + ])); + + var msg239 = msg("171", part285); + + var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg240 = msg("171:01", part286); + + var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg241 = msg("171:02", part287); + + var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all38 = all_match({ + processors: [ + part288, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var msg242 = msg("171:03", all38); + + var select61 = linear_select([ + msg239, + msg240, + msg241, + msg242, + ]); + + var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup70, + ])); + + var msg243 = msg("172", part289); + + var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup70, + ])); + + var msg244 = msg("172:01", part290); + + var select62 = linear_select([ + msg243, + msg244, + ]); + + var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup70, + ])); + + var msg245 = msg("173", part291); + + var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup67, + ])); + + var msg246 = msg("174", part292); + + var all39 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var msg247 = msg("174:01", all39); + + var all40 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg248 = msg("174:02", all40); + + var all41 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg249 = msg("174:03", all41); + + var select63 = linear_select([ + msg246, + msg247, + msg248, + msg249, + ]); + + var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup67, + ])); + + var msg250 = msg("175", part293); + + var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup67, + ])); + + var msg251 = msg("175:01", part294); + + var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup67, + ])); + + var msg252 = msg("175:02", part295); + + var select64 = linear_select([ + msg250, + msg251, + msg252, + ]); + + var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup93, + ])); + + var msg253 = msg("176", part296); + + var msg254 = msg("177", dup196); + + var msg255 = msg("178", dup201); + + var msg256 = msg("179", dup196); + + var all42 = all_match({ + processors: [ + dup34, + dup185, + dup187, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg257 = msg("180", all42); + + var all43 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg258 = msg("180:01", all43); + + var select65 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("181", dup195); + + var all44 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup70, + ]), + }); + + var msg260 = msg("181:01", all44); + + var select66 = linear_select([ + msg259, + msg260, + ]); + + var msg261 = msg("193", dup240); + + var msg262 = msg("194", dup241); + + var msg263 = msg("195", dup241); + + var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var all45 = all_match({ + processors: [ + part297, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg264 = msg("196", all45); + + var all46 = all_match({ + processors: [ + dup101, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg265 = msg("196:01", all46); + + var select67 = linear_select([ + msg264, + msg265, + ]); + + var msg266 = msg("199", dup242); + + var msg267 = msg("200", dup243); + + var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup30, + ])); + + var msg268 = msg("235:02", part298); + + var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + + var all47 = all_match({ + processors: [ + part299, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg269 = msg("235", all47); + + var msg270 = msg("235:01", dup244); + + var select68 = linear_select([ + msg268, + msg269, + msg270, + ]); + + var msg271 = msg("236", dup244); + + var msg272 = msg("237", dup242); + + var msg273 = msg("238", dup242); + + var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg274 = msg("239", part300); + + var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg275 = msg("240", part301); + + var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup78, + ])); + + var msg276 = msg("241", part302); + + var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup78, + ])); + + var msg277 = msg("241:01", part303); + + var select69 = linear_select([ + msg276, + msg277, + ]); + + var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + + var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + + var select70 = linear_select([ + part304, + part305, + dup40, + ]); + + var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); + + var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + + var select71 = linear_select([ + part306, + part307, + dup36, + ]); + + var all48 = all_match({ + processors: [ + dup51, + select70, + dup41, + select71, + ], + on_success: processor_chain([ + dup78, + ]), + }); + + var msg278 = msg("242", all48); + + var msg279 = msg("252", dup205); + + var msg280 = msg("255", dup205); + + var msg281 = msg("257", dup205); + + var msg282 = msg("261:01", dup245); + + var msg283 = msg("261", dup205); + + var select72 = linear_select([ + msg282, + msg283, + ]); + + var msg284 = msg("262", dup245); + + var all49 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg285 = msg("273", all49); + + var msg286 = msg("328", dup246); + + var msg287 = msg("329", dup243); + + var msg288 = msg("346", dup205); + + var msg289 = msg("350", dup205); + + var msg290 = msg("351", dup205); + + var msg291 = msg("352", dup205); + + var msg292 = msg("353:01", dup201); + + var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, + ])); + + var msg293 = msg("353", part308); + + var select73 = linear_select([ + msg292, + msg293, + ]); + + var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, + ])); + + var msg294 = msg("354", part309); + + var msg295 = msg("355", dup206); + + var msg296 = msg("355:01", dup205); + + var select74 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("356", dup207); + + var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup93, + ])); + + var msg298 = msg("357", part310); + + var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var msg299 = msg("357:01", part311); + + var select75 = linear_select([ + msg298, + msg299, + ]); + + var msg300 = msg("358", dup208); + + var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), + ])); + + var msg301 = msg("371", part312); + + var msg302 = msg("371:01", dup209); + + var select76 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("372", dup205); + + var msg304 = msg("373", dup207); + + var msg305 = msg("401", dup247); + + var msg306 = msg("402", dup247); + + var msg307 = msg("406", dup208); + + var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var msg308 = msg("413", part313); + + var msg309 = msg("414", dup205); + + var msg310 = msg("438", dup248); + + var msg311 = msg("439", dup248); + + var all50 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), + }); + + var msg312 = msg("440", all50); + + var all51 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), + }); + + var msg313 = msg("441", all51); + + var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), + ])); + + var msg314 = msg("441:01", part314); + + var select77 = linear_select([ + msg313, + msg314, + ]); + + var all52 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), + }); + + var msg315 = msg("442", all52); + + var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + + var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + + var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + + var select78 = linear_select([ + part316, + part317, + ]); + + var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all53 = all_match({ + processors: [ + part315, + select78, + part318, + dup211, + dup119, + ], + on_success: processor_chain([ + dup67, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg316 = msg("446", all53); + + var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg317 = msg("477", part319); + + var all54 = all_match({ + processors: [ + dup73, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg318 = msg("509", all54); + + var all55 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var msg319 = msg("520", all55); + + var msg320 = msg("522", dup249); + + var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + + var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); + + var all56 = all_match({ + processors: [ + part320, + dup189, + part321, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg321 = msg("522:01", all56); + + var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + + var select79 = linear_select([ + part322, + dup46, + ]); + + var all57 = all_match({ + processors: [ + dup45, + select79, + dup17, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg322 = msg("522:02", all57); + + var select80 = linear_select([ + msg320, + msg321, + msg322, + ]); + + var msg323 = msg("523", dup249); + + var all58 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg324 = msg("524", all58); + + var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + + var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + + var select81 = linear_select([ + part323, + part324, + ]); + + var all59 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + select81, + dup47, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg325 = msg("524:01", all59); + + var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); + + var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); + + var select82 = linear_select([ + part326, + dup56, + ]); + + var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + + var all60 = all_match({ + processors: [ + part325, + select82, + part327, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), + }); + + var msg326 = msg("524:02", all60); + + var select83 = linear_select([ + msg324, + msg325, + msg326, + ]); + + var msg327 = msg("526", dup250); + + var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + + var select84 = linear_select([ + dup26, + part328, + dup46, + ]); + + var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); + + var select85 = linear_select([ + dup35, + part329, + ]); + + var all61 = all_match({ + processors: [ + dup73, + select84, + dup17, + select85, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg328 = msg("526:01", all61); + + var all62 = all_match({ + processors: [ + dup7, + dup213, + dup183, + dup121, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg329 = msg("526:02", all62); + + var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg330 = msg("526:03", part330); + + var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg331 = msg("526:04", part331); + + var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg332 = msg("526:05", part332); + + var select86 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + ]); + + var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + + var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); + + var select87 = linear_select([ + part334, + dup123, + ]); + + var all63 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + part333, + select87, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg333 = msg("537:01", all63); + + var all64 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + dup81, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg334 = msg("537:02", all64); + + var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); + + var select88 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + + var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); + + var select89 = linear_select([ + part339, + part340, + ]); + + var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); + + var select90 = linear_select([ + part341, + dup131, + part342, + dup132, + dup133, + ]); + + var all65 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select88, + part338, + select89, + dup218, + select90, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg335 = msg("537:08", all65); + + var select91 = linear_select([ + dup125, + dup124, + dup126, + dup38, + ]); + + var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); + + var select92 = linear_select([ + part343, + part344, + part345, + ]); + + var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var select93 = linear_select([ + part347, + dup131, + dup132, + dup133, + ]); + + var all66 = all_match({ + processors: [ + dup54, + select91, + dup217, + select92, + part346, + dup218, + select93, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg336 = msg("537:09", all66); + + var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); + + var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); + + var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); + + var select94 = linear_select([ + part348, + part349, + part350, + part351, + part352, + ]); + + var all67 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select94, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg337 = msg("537:07", all67); + + var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); + + var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); + + var select95 = linear_select([ + part354, + dup56, + ]); + + var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + + var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); + + var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); + + var select96 = linear_select([ + part356, + part357, + part358, + part359, + ]); + + var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); + + var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + + var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + + var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + + var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + + var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); + + var select97 = linear_select([ + part361, + part362, + part363, + part364, + part365, + ]); + + var all68 = all_match({ + processors: [ + part353, + select95, + part355, + select96, + part360, + select97, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg338 = msg("537", all68); + + var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + + var all69 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part366, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg339 = msg("537:04", all69); + + var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); + + var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + + var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); + + var select98 = linear_select([ + part368, + part369, + ]); + + var all70 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part367, + select98, + dup96, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg340 = msg("537:05", all70); + + var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + + var select99 = linear_select([ + part371, + part372, + part373, + ]); + + var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all71 = all_match({ + processors: [ + part370, + dup220, + dup139, + dup221, + select99, + part374, + dup222, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg341 = msg("537:10", all71); + + var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + + var select100 = linear_select([ + dup85, + part376, + part377, + ]); + + var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all72 = all_match({ + processors: [ + part375, + dup220, + dup139, + dup221, + select100, + part378, + dup222, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg342 = msg("537:03", all72); + + var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + + var all73 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part379, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg343 = msg("537:06", all73); + + var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg344 = msg("537:11", part380); + + var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg345 = msg("537:12", part381); + + var select101 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + ]); + + var msg346 = msg("538", dup240); + + var msg347 = msg("549", dup243); + + var msg348 = msg("557", dup243); + + var all74 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), + }); + + var msg349 = msg("558", all74); + + var msg350 = msg("561", dup246); + + var msg351 = msg("562", dup246); + + var msg352 = msg("563", dup246); + + var all75 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), + }); + + var msg353 = msg("583", all75); + + var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg354 = msg("597:01", part382); + + var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, + ])); + + var msg355 = msg("597:02", part383); + + var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); + + var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var all76 = all_match({ + processors: [ + part384, + dup198, + part385, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg356 = msg("597:03", all76); + + var select102 = linear_select([ + msg354, + msg355, + msg356, + ]); + + var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, + ])); + + var msg357 = msg("598", part386); + + var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); + + var all77 = all_match({ + processors: [ + dup148, + dup192, + part387, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg358 = msg("598:01", all77); + + var all78 = all_match({ + processors: [ + dup148, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg359 = msg("598:02", all78); + + var select103 = linear_select([ + msg357, + msg358, + msg359, + ]); + + var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg360 = msg("602:01", part388); + + var msg361 = msg("602:02", dup250); + + var all79 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg362 = msg("602:03", all79); + + var select104 = linear_select([ + msg360, + msg361, + msg362, + ]); + + var msg363 = msg("605", dup208); + + var all80 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup211, + dup119, + ], + on_success: processor_chain([ + dup93, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg364 = msg("606", all80); + + var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + + var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + + var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + + var select105 = linear_select([ + part390, + part391, + ]); + + var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + + var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + + var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + + var select106 = linear_select([ + part393, + part394, + ]); + + var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + + var select107 = linear_select([ + part395, + dup154, + dup155, + ]); + + var all81 = all_match({ + processors: [ + part389, + select105, + part392, + select106, + dup153, + select107, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg365 = msg("608", all81); + + var msg366 = msg("616", dup206); + + var msg367 = msg("658", dup201); + + var msg368 = msg("710", dup224); + + var msg369 = msg("712:02", dup251); + + var msg370 = msg("712", dup224); + + var all82 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup156, + ]), + }); + + var msg371 = msg("712:01", all82); + + var select108 = linear_select([ + msg369, + msg370, + msg371, + ]); + + var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg372 = msg("713:01", part396); + + var msg373 = msg("713:04", dup251); + + var msg374 = msg("713:02", dup224); + + var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg375 = msg("713:03", part397); + + var select109 = linear_select([ + msg372, + msg373, + msg374, + msg375, + ]); + + var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg376 = msg("760", part398); + + var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); + + var all83 = all_match({ + processors: [ + part399, + dup182, + dup10, + dup202, + part400, + ], + on_success: processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg377 = msg("760:01", all83); + + var select110 = linear_select([ + msg376, + msg377, + ]); + + var msg378 = msg("766", dup228); + + var msg379 = msg("860", dup228); + + var msg380 = msg("860:01", dup229); + + var select111 = linear_select([ + msg379, + msg380, + ]); + + var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + + var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); + + var select112 = linear_select([ + part402, + part403, + ]); + + var all84 = all_match({ + processors: [ + part401, + select112, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg381 = msg("866", all84); + + var msg382 = msg("866:01", dup229); + + var select113 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("867", dup228); + + var msg384 = msg("867:01", dup229); + + var select114 = linear_select([ + msg383, + msg384, + ]); + + var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, + ])); + + var msg385 = msg("882", part404); + + var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, + ])); + + var msg386 = msg("882:01", part405); + + var select115 = linear_select([ + msg385, + msg386, + ]); + + var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup165, + ])); + + var msg387 = msg("888", part406); + + var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup165, + ])); + + var msg388 = msg("888:01", part407); + + var select116 = linear_select([ + msg387, + msg388, + ]); + + var all85 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup165, + ]), + }); + + var msg389 = msg("892", all85); + + var msg390 = msg("904", dup228); + + var msg391 = msg("905", dup228); + + var msg392 = msg("906", dup228); + + var msg393 = msg("907", dup228); + + var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); + + var select117 = linear_select([ + part408, + dup167, + ]); + + var all86 = all_match({ + processors: [ + dup166, + select117, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg394 = msg("908", all86); + + var msg395 = msg("909", dup228); + + var msg396 = msg("914", dup230); + + var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup72, + ])); + + var msg397 = msg("931", part409); + + var msg398 = msg("657", dup230); + + var all87 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg399 = msg("657:01", all87); + + var select118 = linear_select([ + msg398, + msg399, + ]); + + var msg400 = msg("403", dup209); + + var msg401 = msg("534", dup184); + + var msg402 = msg("994", dup231); + + var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg403 = msg("243", part410); + + var msg404 = msg("995", dup184); + + var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup59, + dup61, + dup62, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg405 = msg("997", part411); + + var msg406 = msg("998", dup231); + + var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup11, + ])); + + var msg407 = msg("998:01", part412); + + var select119 = linear_select([ + msg406, + msg407, + ]); + + var msg408 = msg("1110", dup232); + + var msg409 = msg("565", dup232); + + var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup62, + ])); + + var msg410 = msg("404", part413); + + var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + + var select120 = linear_select([ + part414, + dup58, + ]); + + var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + + var all88 = all_match({ + processors: [ + dup87, + select120, + part415, + ], + on_success: processor_chain([ + dup111, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg411 = msg("267:01", all88); + + var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup62, + ])); + + var msg412 = msg("267", part416); + + var select121 = linear_select([ + msg411, + msg412, + ]); + + var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg413 = msg("263", part417); + + var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg414 = msg("264", part418); + + var msg415 = msg("412", dup209); + + var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg416 = msg("793", part419); + + var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup24, + ])); + + var msg417 = msg("805", part420); + + var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg418 = msg("809", part421); + + var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg419 = msg("809:01", part422); + + var select122 = linear_select([ + msg418, + msg419, + ]); + + var msg420 = msg("935", dup230); + + var msg421 = msg("614", dup233); + + var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var all89 = all_match({ + processors: [ + part423, + dup211, + dup119, + ], + on_success: processor_chain([ + dup66, + dup44, + ]), + }); + + var msg422 = msg("748", all89); + + var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + + var select123 = linear_select([ + part425, + dup118, + ]); + + var all90 = all_match({ + processors: [ + part424, + select123, + dup119, + ], + on_success: processor_chain([ + dup171, + dup44, + ]), + }); + + var msg423 = msg("794", all90); + + var msg424 = msg("1086", dup233); + + var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg425 = msg("1430", part426); + + var msg426 = msg("1149", dup233); + + var msg427 = msg("1159", dup233); + + var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg428 = msg("1195", part427); + + var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup171, + dup44, + ])); + + var msg429 = msg("1195:01", part428); + + var select124 = linear_select([ + msg428, + msg429, + ]); + + var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg430 = msg("1226", part429); + + var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg431 = msg("1222", part430); + + var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg432 = msg("1154", part431); + + var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all91 = all_match({ + processors: [ + part432, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + dup24, + ]), + }); + + var msg433 = msg("1154:01", all91); + + var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup172, + dup11, + ])); + + var msg434 = msg("1154:02", part433); + + var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var select125 = linear_select([ + part435, + dup79, + ]); + + var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all92 = all_match({ + processors: [ + part434, + select125, + part436, + ], + on_success: processor_chain([ + dup172, + dup11, + ]), + }); + + var msg435 = msg("1154:03", all92); + + var select126 = linear_select([ + msg432, + msg433, + msg434, + msg435, + ]); + + var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup173, + ])); + + var msg436 = msg("msg", part437); + + var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup173, + ])); + + var msg437 = msg("src", part438); + + var all93 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg438 = msg("1235", all93); + + var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + + var all94 = all_match({ + processors: [ + dup7, + dup185, + dup10, + dup202, + part439, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg439 = msg("1197", all94); + + var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all95 = all_match({ + processors: [ + part440, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg440 = msg("1199", all95); + + var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg441 = msg("1199:01", part441); + + var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg442 = msg("1199:02", part442); + + var select127 = linear_select([ + msg440, + msg441, + msg442, + ]); + + var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + + var all96 = all_match({ + processors: [ + part443, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg443 = msg("1155", all96); + + var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup111, + ])); + + var msg444 = msg("1155:01", part444); + + var select128 = linear_select([ + msg443, + msg444, + ]); + + var all97 = all_match({ + processors: [ + dup176, + dup213, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg445 = msg("1198", all97); + + var all98 = all_match({ + processors: [ + dup7, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg446 = msg("714", all98); + + var msg447 = msg("709", dup252); + + var msg448 = msg("1005", dup252); + + var msg449 = msg("1003", dup252); + + var msg450 = msg("1007", dup253); + + var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg451 = msg("1008", part445); + + var msg452 = msg("708", dup253); + + var all99 = all_match({ + processors: [ + dup176, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg453 = msg("1201", all99); + + var msg454 = msg("1201:01", dup253); + + var select129 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("654", dup234); + + var msg456 = msg("670", dup234); + + var msg457 = msg("884", dup253); + + var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg458 = msg("1153", part446); + + var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); + + var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); + + var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); + + var select130 = linear_select([ + part447, + part448, + part449, + ]); + + var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + + var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var select131 = linear_select([ + part451, + dup26, + ]); + + var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + + var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + + var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + + var select132 = linear_select([ + part452, + part453, + part454, + ]); + + var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + + var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); + + var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); + + var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); + + var select133 = linear_select([ + part456, + part457, + part458, + ]); + + var all100 = all_match({ + processors: [ + dup54, + select130, + part450, + select131, + select132, + part455, + select133, + dup123, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg459 = msg("1153:01", all100); + + var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); + + var select134 = linear_select([ + part459, + part460, + ]); + + var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + + var all101 = all_match({ + processors: [ + dup82, + select134, + part461, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg460 = msg("1153:02", all101); + + var select135 = linear_select([ + msg458, + msg459, + msg460, + ]); + + var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg461 = msg("1107", part462); + + var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + + var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); + + var select136 = linear_select([ + part464, + part465, + ]); + + var all102 = all_match({ + processors: [ + part463, + select136, + dup153, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg462 = msg("1220", all102); + + var all103 = all_match({ + processors: [ + dup149, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg463 = msg("1230", all103); + + var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg464 = msg("1231", part466); + + var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg465 = msg("1233", part467); + + var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + + var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + + var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + + var select137 = linear_select([ + part469, + part470, + ]); + + var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + + var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); + + var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); + + var select138 = linear_select([ + part472, + part473, + dup38, + ]); + + var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); + + var all104 = all_match({ + processors: [ + part468, + select137, + part471, + select138, + part474, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg466 = msg("1079", all104); + + var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg467 = msg("1079:01", part475); + + var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg468 = msg("1079:02", part476); + + var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg469 = msg("1079:03", part477); + + var select139 = linear_select([ + msg466, + msg467, + msg468, + msg469, + ]); + + var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + + var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var select140 = linear_select([ + dup8, + part479, + ]); + + var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var select141 = linear_select([ + dup135, + part480, + ]); + + var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); + + var all105 = all_match({ + processors: [ + part478, + select140, + select141, + part481, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg470 = msg("1080", all105); + + var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg471 = msg("580", part482); + + var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + + var all106 = all_match({ + processors: [ + part483, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg472 = msg("1369", all106); + + var all107 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg473 = msg("1370", all107); + + var all108 = all_match({ + processors: [ + dup149, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg474 = msg("1371", all108); + + var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); + + var select142 = linear_select([ + dup167, + part484, + ]); + + var all109 = all_match({ + processors: [ + dup166, + select142, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg475 = msg("1387", all109); + + var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); + + var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); + + var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); + + var select143 = linear_select([ + part486, + part487, + ]); + + var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); + + var select144 = linear_select([ + part488, + dup154, + dup155, + ]); + + var all110 = all_match({ + processors: [ + part485, + select143, + dup153, + select144, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg476 = msg("1391", all110); + + var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg477 = msg("1253", part489); + + var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg478 = msg("1009", part490); + + var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); + + var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); + + var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); + + var select145 = linear_select([ + part492, + part493, + ]); + + var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + + var all111 = all_match({ + processors: [ + part491, + select145, + part494, + ], + on_success: processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg479 = msg("910", all111); + + var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup22, + dup44, + ])); + + var msg480 = msg("m:01", part495); + + var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg481 = msg("1011", part496); + + var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup172, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg482 = msg("609", part497); + + var msg483 = msg("796", dup237); + + var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg484 = msg("880", part498); + + var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg485 = msg("1309", part499); + + var msg486 = msg("1310", dup237); + + var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); + + var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); + + var select146 = linear_select([ + part501, + part502, + ]); + + var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + + var all112 = all_match({ + processors: [ + part500, + select146, + part503, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg487 = msg("1232", all112); + + var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all113 = all_match({ + processors: [ + part504, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg488 = msg("1447", all113); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select139, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select57, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select58, + "1153": select135, + "1154": select126, + "1155": select128, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select124, + "1197": msg439, + "1198": msg445, + "1199": select127, + "12": select4, + "120": msg181, + "1201": select129, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select59, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select60, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select61, + "172": select62, + "173": msg245, + "174": select63, + "175": select64, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select65, + "181": select66, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select67, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select68, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select69, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select72, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select121, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select18, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select73, + "354": msg294, + "355": select74, + "356": msg297, + "357": select75, + "358": msg300, + "36": select21, + "37": select23, + "371": select76, + "372": msg303, + "373": msg304, + "38": select25, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select26, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select77, + "442": msg315, + "446": msg316, + "45": select27, + "46": select28, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select80, + "523": msg323, + "524": select83, + "526": select86, + "53": msg88, + "534": msg401, + "537": select101, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select102, + "598": select103, + "6": select3, + "60": msg90, + "602": select104, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select29, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select118, + "658": msg367, + "66": msg97, + "67": select30, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select32, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select108, + "713": select109, + "714": msg446, + "72": select33, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select110, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select122, + "81": msg114, + "82": select34, + "83": select35, + "84": msg122, + "860": select111, + "866": select113, + "867": select114, + "87": select37, + "88": select38, + "880": msg484, + "882": select115, + "884": msg457, + "888": select116, + "89": select40, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select44, + "98": select56, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select119, + "m": msg480, + "msg": msg436, + "src": msg437, + }), + ]); + + var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var select147 = linear_select([ + dup8, + dup9, + ]); + + var select148 = linear_select([ + dup15, + dup16, + ]); + + var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select149 = linear_select([ + dup26, + dup27, + ]); + + var select150 = linear_select([ + dup28, + dup29, + ]); + + var select151 = linear_select([ + dup35, + dup36, + ]); + + var select152 = linear_select([ + dup37, + dup38, + ]); + + var select153 = linear_select([ + dup39, + dup40, + ]); + + var select154 = linear_select([ + dup26, + dup46, + ]); + + var select155 = linear_select([ + dup48, + dup49, + ]); + + var select156 = linear_select([ + dup52, + dup53, + ]); + + var select157 = linear_select([ + dup55, + dup56, + ]); + + var select158 = linear_select([ + dup57, + dup58, + ]); + + var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var select159 = linear_select([ + dup75, + dup76, + ]); + + var select160 = linear_select([ + dup83, + dup84, + ]); + + var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var select161 = linear_select([ + dup94, + dup95, + ]); + + var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var select162 = linear_select([ + dup98, + dup99, + ]); + + var select163 = linear_select([ + dup86, + dup102, + ]); + + var select164 = linear_select([ + dup103, + dup104, + ]); + + var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select165 = linear_select([ + dup114, + dup115, + ]); + + var select166 = linear_select([ + dup117, + dup118, + ]); + + var select167 = linear_select([ + dup43, + dup42, + ]); + + var select168 = linear_select([ + dup8, + dup27, + ]); + + var select169 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var select170 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var select171 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var select172 = linear_select([ + dup127, + dup128, + ]); + + var select173 = linear_select([ + dup129, + dup130, + ]); + + var select174 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var select175 = linear_select([ + dup138, + dup56, + ]); + + var select176 = linear_select([ + dup140, + dup141, + ]); + + var select177 = linear_select([ + dup142, + dup143, + ]); + + var select178 = linear_select([ + dup150, + dup151, + ]); + + var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var select179 = linear_select([ + dup158, + dup38, + ]); + + var select180 = linear_select([ + dup160, + dup161, + ]); + + var select181 = linear_select([ + dup162, + dup163, + ]); + + var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var select182 = linear_select([ + dup177, + dup178, + ]); + + var select183 = linear_select([ + dup180, + dup181, + ]); + + var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var all114 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all115 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var all116 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all117 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all118 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var all119 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all120 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var all121 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var all122 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var all123 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var all124 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var all125 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var all126 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all127 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var all128 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all129 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..7c1f4432d2 --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -0,0 +1,9736 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + + var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup12 = setc("eventcategory","1502010000"); + + var dup13 = setc("eventcategory","1502020000"); + + var dup14 = setc("eventcategory","1002010000"); + + var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var dup18 = setf("hostip","hhostip"); + + var dup19 = setf("id","hid"); + + var dup20 = setf("serial_number","hserial_number"); + + var dup21 = setf("category","hcategory"); + + var dup22 = setf("severity","hseverity"); + + var dup23 = setc("eventcategory","1805010000"); + + var dup24 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], + }); + + var dup25 = setc("eventcategory","1302000000"); + + var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var dup30 = setc("eventcategory","1401050100"); + + var dup31 = setc("eventcategory","1401030000"); + + var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var dup33 = setc("eventcategory","1301020000"); + + var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var dup44 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var dup59 = setc("ec_subject","NetworkComm"); + + var dup60 = setc("ec_activity","Deny"); + + var dup61 = setc("ec_theme","Communication"); + + var dup62 = setf("msg","$MSG"); + + var dup63 = setc("action","dropped"); + + var dup64 = setc("eventcategory","1608010000"); + + var dup65 = setc("eventcategory","1302010000"); + + var dup66 = setc("eventcategory","1301000000"); + + var dup67 = setc("eventcategory","1001000000"); + + var dup68 = setc("eventcategory","1003030000"); + + var dup69 = setc("eventcategory","1003050000"); + + var dup70 = setc("eventcategory","1103000000"); + + var dup71 = setc("eventcategory","1603110000"); + + var dup72 = setc("eventcategory","1605020000"); + + var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup78 = setc("eventcategory","1801000000"); + + var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup88 = setf("id","hfld1"); + + var dup89 = setc("eventcategory","1001020309"); + + var dup90 = setc("eventcategory","1303000000"); + + var dup91 = setc("eventcategory","1801010100"); + + var dup92 = setc("eventcategory","1604010000"); + + var dup93 = setc("eventcategory","1002020000"); + + var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var dup97 = setc("eventcategory","1001010000"); + + var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var dup106 = setc("eventcategory","1401060000"); + + var dup107 = setc("eventcategory","1804000000"); + + var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var dup109 = setc("eventcategory","1401070000"); + + var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var dup111 = setc("eventcategory","1801030000"); + + var dup112 = setc("eventcategory","1402020300"); + + var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var dup116 = setc("eventcategory","1402000000"); + + var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var dup120 = setc("eventcategory","1803020000"); + + var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var dup144 = setc("event_description","Connection Closed"); + + var dup145 = setc("eventcategory","1801020000"); + + var dup146 = setc("ec_activity","Permit"); + + var dup147 = setc("action","allowed"); + + var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var dup156 = setc("eventcategory","1001030500"); + + var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var dup165 = setc("eventcategory","1801010000"); + + var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup170 = setc("eventcategory","1003010000"); + + var dup171 = setc("eventcategory","1609000000"); + + var dup172 = setc("eventcategory","1204000000"); + + var dup173 = setc("eventcategory","1602000000"); + + var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var dup175 = setc("eventcategory","1803000000"); + + var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var dup182 = linear_select([ + dup8, + dup9, + ]); + + var dup183 = linear_select([ + dup15, + dup16, + ]); + + var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup185 = linear_select([ + dup26, + dup27, + ]); + + var dup186 = linear_select([ + dup28, + dup29, + ]); + + var dup187 = linear_select([ + dup35, + dup36, + ]); + + var dup188 = linear_select([ + dup37, + dup38, + ]); + + var dup189 = linear_select([ + dup39, + dup40, + ]); + + var dup190 = linear_select([ + dup26, + dup46, + ]); + + var dup191 = linear_select([ + dup48, + dup49, + ]); + + var dup192 = linear_select([ + dup52, + dup53, + ]); + + var dup193 = linear_select([ + dup55, + dup56, + ]); + + var dup194 = linear_select([ + dup57, + dup58, + ]); + + var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var dup197 = linear_select([ + dup75, + dup76, + ]); + + var dup198 = linear_select([ + dup83, + dup84, + ]); + + var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var dup200 = linear_select([ + dup94, + dup95, + ]); + + var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var dup202 = linear_select([ + dup98, + dup99, + ]); + + var dup203 = linear_select([ + dup86, + dup102, + ]); + + var dup204 = linear_select([ + dup103, + dup104, + ]); + + var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup210 = linear_select([ + dup114, + dup115, + ]); + + var dup211 = linear_select([ + dup117, + dup118, + ]); + + var dup212 = linear_select([ + dup43, + dup42, + ]); + + var dup213 = linear_select([ + dup8, + dup27, + ]); + + var dup214 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var dup215 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var dup216 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var dup217 = linear_select([ + dup127, + dup128, + ]); + + var dup218 = linear_select([ + dup129, + dup130, + ]); + + var dup219 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var dup220 = linear_select([ + dup138, + dup56, + ]); + + var dup221 = linear_select([ + dup140, + dup141, + ]); + + var dup222 = linear_select([ + dup142, + dup143, + ]); + + var dup223 = linear_select([ + dup150, + dup151, + ]); + + var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var dup225 = linear_select([ + dup158, + dup38, + ]); + + var dup226 = linear_select([ + dup160, + dup161, + ]); + + var dup227 = linear_select([ + dup162, + dup163, + ]); + + var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var dup235 = linear_select([ + dup177, + dup178, + ]); + + var dup236 = linear_select([ + dup180, + dup181, + ]); + + var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var dup238 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup239 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var dup240 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup241 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup242 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var dup243 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup244 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var dup245 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var dup246 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var dup247 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var dup248 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var dup249 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var dup250 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup251 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var dup252 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup253 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, + ])); + + var msg1 = msg("4", part1); + + var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, + ])); + + var msg2 = msg("5", part2); + + var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg3 = msg("5:01", part3); + + var select2 = linear_select([ + msg2, + msg3, + ]); + + var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, + ])); + + var msg4 = msg("6", part4); + + var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg5 = msg("6:01", part5); + + var select3 = linear_select([ + msg4, + msg5, + ]); + + var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, + ])); + + var msg6 = msg("7", part6); + + var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, + ])); + + var msg7 = msg("8", part7); + + var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, + ])); + + var msg8 = msg("9", part8); + + var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, + ])); + + var msg9 = msg("10", part9); + + var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, + ])); + + var msg10 = msg("11", part10); + + var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, + ])); + + var msg11 = msg("12", part11); + + var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, + ])); + + var msg12 = msg("12:01", part12); + + var select4 = linear_select([ + msg11, + msg12, + ]); + + var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, + ])); + + var msg13 = msg("13", part13); + + var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); + + var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); + + var select5 = linear_select([ + part14, + part15, + ]); + + var all1 = all_match({ + processors: [ + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), + }); + + var msg14 = msg("14", all1); + + var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); + + var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); + + var select6 = linear_select([ + part16, + part17, + ]); + + var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); + + var all2 = all_match({ + processors: [ + dup7, + dup182, + dup10, + select6, + part18, + ], + on_success: processor_chain([ + dup6, + ]), + }); + + var msg15 = msg("14:01", all2); + + var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg16 = msg("14:02", part19); + + var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg17 = msg("14:03", part20); + + var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg18 = msg("14:04", part21); + + var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg19 = msg("14:05", part22); + + var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + ]); + + var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, + ])); + + var msg20 = msg("15", part23); + + var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, + ])); + + var msg21 = msg("16", part24); + + var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, + ])); + + var msg22 = msg("17", part25); + + var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, + ])); + + var msg23 = msg("18", part26); + + var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, + ])); + + var msg24 = msg("19", part27); + + var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, + ])); + + var msg25 = msg("20", part28); + + var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, + ])); + + var msg26 = msg("21", part29); + + var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, + ])); + + var msg27 = msg("22", part30); + + var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, + ])); + + var msg28 = msg("23", part31); + + var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + + var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + + var select8 = linear_select([ + part33, + part34, + ]); + + var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); + + var all3 = all_match({ + processors: [ + part32, + dup183, + dup17, + select8, + part35, + ], + on_success: processor_chain([ + dup14, + ]), + }); + + var msg29 = msg("23:01", all3); + + var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, + ])); + + var msg30 = msg("23:02", part36); + + var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); + + var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); + + var select9 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + + var all4 = all_match({ + processors: [ + part37, + select9, + part40, + ], + on_success: processor_chain([ + dup14, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg31 = msg("23:03", all4); + + var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, + ]); + + var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, + ])); + + var msg32 = msg("24", part41); + + var msg33 = msg("24:01", dup184); + + var select11 = linear_select([ + msg32, + msg33, + ]); + + var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg34 = msg("25", part42); + + var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg35 = msg("26", part43); + + var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg36 = msg("27", part44); + + var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, + ])); + + var msg37 = msg("28", part45); + + var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, + ])); + + var msg38 = msg("28:01", part46); + + var select12 = linear_select([ + msg37, + msg38, + ]); + + var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, + ])); + + var msg39 = msg("29", part47); + + var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var all5 = all_match({ + processors: [ + part48, + dup185, + dup186, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg40 = msg("29:01", all5); + + var select13 = linear_select([ + msg39, + msg40, + ]); + + var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg41 = msg("30", part49); + + var msg42 = msg("30:01", dup238); + + var select14 = linear_select([ + msg41, + msg42, + ]); + + var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, + ])); + + var msg43 = msg("31", part50); + + var all6 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup25, + ]), + }); + + var msg44 = msg("31:01", all6); + + var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg45 = msg("31:02", part51); + + var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg46 = msg("31:03", part52); + + var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg47 = msg("31:04", part53); + + var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, + ]); + + var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg48 = msg("32", part54); + + var msg49 = msg("32:01", dup238); + + var select16 = linear_select([ + msg48, + msg49, + ]); + + var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup33, + ])); + + var msg50 = msg("33", part55); + + var all7 = all_match({ + processors: [ + dup34, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var msg51 = msg("33:01", all7); + + var select17 = linear_select([ + msg50, + msg51, + ]); + + var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, + ])); + + var msg52 = msg("34", part56); + + var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), + ])); + + var msg53 = msg("35", part57); + + var all8 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), + }); + + var msg54 = msg("35:01", all8); + + var select18 = linear_select([ + msg53, + msg54, + ]); + + var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, + ])); + + var msg55 = msg("36", part58); + + var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + + var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); + + var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var select19 = linear_select([ + part61, + dup42, + dup43, + ]); + + var all9 = all_match({ + processors: [ + part59, + dup188, + part60, + dup189, + dup41, + dup183, + dup17, + select19, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg56 = msg("36:01", all9); + + var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); + + var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); + + var select20 = linear_select([ + part62, + part63, + ]); + + var all10 = all_match({ + processors: [ + dup45, + dup190, + dup17, + dup183, + dup17, + select20, + dup47, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg57 = msg("36:02", all10); + + var select21 = linear_select([ + msg55, + msg56, + msg57, + ]); + + var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg58 = msg("37", part64); + + var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + + var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); + + var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var all11 = all_match({ + processors: [ + part65, + dup188, + part66, + select22, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg59 = msg("37:01", all11); + + var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, + ])); + + var msg60 = msg("37:02", part69); + + var all12 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg61 = msg("37:03", all12); + + var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, + ])); + + var msg62 = msg("37:04", part70); + + var select23 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + ]); + + var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg63 = msg("38", part71); + + var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); + + var select24 = linear_select([ + part72, + dup42, + ]); + + var all13 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup183, + dup17, + select24, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg64 = msg("38:01", all13); + + var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + + var all14 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup192, + part73, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg65 = msg("38:02", all14); + + var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + + var all15 = all_match({ + processors: [ + dup54, + dup193, + part74, + dup194, + part75, + ], + on_success: processor_chain([ + dup5, + dup11, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg66 = msg("38:03", all15); + + var select25 = linear_select([ + msg63, + msg64, + msg65, + msg66, + ]); + + var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg67 = msg("39", part76); + + var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg68 = msg("40", part77); + + var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg69 = msg("41:01", part78); + + var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, + ])); + + var msg70 = msg("41:02", part79); + + var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, + ])); + + var msg71 = msg("41:03", part80); + + var select26 = linear_select([ + msg69, + msg70, + msg71, + ]); + + var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, + ])); + + var msg72 = msg("42", part81); + + var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, + ])); + + var msg73 = msg("43", part82); + + var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, + ])); + + var msg74 = msg("44", part83); + + var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, + ])); + + var msg75 = msg("45", part84); + + var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, + ])); + + var msg76 = msg("45:01", part85); + + var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg77 = msg("45:02", part86); + + var select27 = linear_select([ + msg75, + msg76, + msg77, + ]); + + var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg78 = msg("46:01", part87); + + var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, + ])); + + var msg79 = msg("46:02", part88); + + var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg80 = msg("46", part89); + + var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all16 = all_match({ + processors: [ + part90, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg81 = msg("46:03", all16); + + var select28 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, + ])); + + var msg82 = msg("47", part91); + + var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg83 = msg("48", part92); + + var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, + ])); + + var msg84 = msg("49", part93); + + var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, + ])); + + var msg85 = msg("50", part94); + + var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg86 = msg("51", part95); + + var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, + ])); + + var msg87 = msg("52", part96); + + var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, + ])); + + var msg88 = msg("53", part97); + + var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup64, + ])); + + var msg89 = msg("58", part98); + + var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, + ])); + + var msg90 = msg("60", part99); + + var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, + ])); + + var msg91 = msg("61", part100); + + var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup65, + ])); + + var msg92 = msg("62", part101); + + var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup66, + ])); + + var msg93 = msg("63", part102); + + var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg94 = msg("63:01", part103); + + var select29 = linear_select([ + msg93, + msg94, + ]); + + var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, + ])); + + var msg95 = msg("64", part104); + + var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg96 = msg("65", part105); + + var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg97 = msg("66", part106); + + var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup66, + ])); + + var msg98 = msg("67", part107); + + var all17 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg99 = msg("67:01", all17); + + var select30 = linear_select([ + msg98, + msg99, + ]); + + var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup66, + ])); + + var msg100 = msg("68", part108); + + var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup66, + ])); + + var msg101 = msg("69", part109); + + var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup66, + ])); + + var msg102 = msg("70", part110); + + var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); + + var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); + + var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); + + var select31 = linear_select([ + part112, + part113, + ]); + + var all18 = all_match({ + processors: [ + part111, + select31, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg103 = msg("70:01", all18); + + var select32 = linear_select([ + msg102, + msg103, + ]); + + var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg104 = msg("72", part114); + + var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup67, + ])); + + var msg105 = msg("72:01", part115); + + var select33 = linear_select([ + msg104, + msg105, + ]); + + var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg106 = msg("73", part116); + + var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg107 = msg("74", part117); + + var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg108 = msg("75", part118); + + var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg109 = msg("76", part119); + + var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg110 = msg("77", part120); + + var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg111 = msg("78", part121); + + var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg112 = msg("79", part122); + + var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg113 = msg("80", part123); + + var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg114 = msg("81", part124); + + var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg115 = msg("82", part125); + + var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup70, + ])); + + var msg116 = msg("82:02", part126); + + var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup70, + ])); + + var msg117 = msg("82:03", part127); + + var msg118 = msg("82:01", dup195); + + var select34 = linear_select([ + msg115, + msg116, + msg117, + msg118, + ]); + + var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg119 = msg("83", part128); + + var msg120 = msg("83:01", dup196); + + var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg121 = msg("83:02", part129); + + var select35 = linear_select([ + msg119, + msg120, + msg121, + ]); + + var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + + var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + + var select36 = linear_select([ + part130, + part131, + ]); + + var all19 = all_match({ + processors: [ + select36, + ], + on_success: processor_chain([ + dup71, + setc("action","Failed to resolve name"), + ]), + }); + + var msg122 = msg("84", all19); + + var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup72, + ])); + + var msg123 = msg("87", part132); + + var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup72, + ])); + + var msg124 = msg("87:01", part133); + + var select37 = linear_select([ + msg123, + msg124, + ]); + + var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup66, + ])); + + var msg125 = msg("88", part134); + + var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg126 = msg("88:01", part135); + + var select38 = linear_select([ + msg125, + msg126, + ]); + + var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg127 = msg("89", part136); + + var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); + + var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); + + var select39 = linear_select([ + part137, + part138, + ]); + + var all20 = all_match({ + processors: [ + dup73, + select39, + ], + on_success: processor_chain([ + dup72, + ]), + }); + + var msg128 = msg("89:01", all20); + + var select40 = linear_select([ + msg127, + msg128, + ]); + + var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup72, + ])); + + var msg129 = msg("90", part139); + + var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup72, + ])); + + var msg130 = msg("91", part140); + + var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg131 = msg("92", part141); + + var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, + ])); + + var msg132 = msg("93", part142); + + var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, + ])); + + var msg133 = msg("94", part143); + + var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, + ])); + + var msg134 = msg("95", part144); + + var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, + ])); + + var msg135 = msg("96", part145); + + var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, + ])); + + var msg136 = msg("97", part146); + + var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); + + var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + + var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + + var select41 = linear_select([ + part148, + part149, + ]); + + var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); + + var all21 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part147, + select41, + dup197, + part150, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg137 = msg("97:01", all21); + + var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); + + var all22 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part151, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg138 = msg("97:02", all22); + + var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + + var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all23 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part152, + dup197, + part153, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg139 = msg("97:03", all23); + + var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); + + var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all24 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part154, + dup197, + part155, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg140 = msg("97:04", all24); + + var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + + var all25 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part156, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg141 = msg("97:05", all25); + + var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); + + var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); + + var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); + + var select42 = linear_select([ + part158, + part159, + ]); + + var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all26 = all_match({ + processors: [ + part157, + select42, + part160, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg142 = msg("97:06", all26); + + var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); + + var select43 = linear_select([ + part162, + dup79, + ]); + + var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all27 = all_match({ + processors: [ + part161, + select43, + part163, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg143 = msg("97:07", all27); + + var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg144 = msg("97:08", part164); + + var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg145 = msg("97:09", part165); + + var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg146 = msg("97:10", part166); + + var select44 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); + + var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); + + var select45 = linear_select([ + part168, + part169, + part170, + ]); + + var all28 = all_match({ + processors: [ + dup54, + dup193, + part167, + select45, + ], + on_success: processor_chain([ + dup78, + dup59, + setc("ec_activity","Stop"), + dup61, + dup62, + dup11, + setc("action","Opened"), + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg147 = msg("98", all28); + + var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg148 = msg("98:07", part171); + + var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); + + var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + + var select46 = linear_select([ + part173, + dup56, + ]); + + var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + + var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + + var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + + var select47 = linear_select([ + part175, + part176, + ]); + + var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + + var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + + var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + + var select48 = linear_select([ + part177, + part178, + part179, + ]); + + var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); + + var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); + + var select49 = linear_select([ + dup80, + part181, + part182, + ]); + + var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); + + var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var select50 = linear_select([ + part183, + part184, + part185, + part186, + dup81, + dup43, + ]); + + var all29 = all_match({ + processors: [ + part172, + select46, + part174, + select47, + select48, + part180, + select49, + select50, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg149 = msg("98:01", all29); + + var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); + + var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); + + var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); + + var select51 = linear_select([ + part187, + part188, + part189, + ]); + + var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); + + var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); + + var select52 = linear_select([ + part191, + dup56, + ]); + + var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); + + var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var select53 = linear_select([ + part193, + part194, + dup85, + part195, + ]); + + var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); + + var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + + var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + + var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); + + var select54 = linear_select([ + part197, + part198, + part199, + dup86, + part200, + ]); + + var all30 = all_match({ + processors: [ + dup82, + select51, + part190, + select52, + part192, + dup198, + dup17, + select53, + part196, + select54, + ], + on_success: processor_chain([ + dup78, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg150 = msg("98:06", all30); + + var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + + var all31 = all_match({ + processors: [ + part201, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg151 = msg("98:02", all31); + + var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); + + var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); + + var select55 = linear_select([ + part202, + part203, + ]); + + var all32 = all_match({ + processors: [ + select55, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg152 = msg("98:03", all32); + + var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + + var all33 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part204, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg153 = msg("98:04", all33); + + var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + + var all34 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part205, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg154 = msg("98:05", all34); + + var select56 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + ]); + + var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup31, + dup11, + ])); + + var msg155 = msg("986", part206); + + var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); + + var all35 = all_match({ + processors: [ + dup73, + dup185, + dup183, + part207, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg156 = msg("427", all35); + + var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var all36 = all_match({ + processors: [ + dup87, + dup194, + part208, + ], + on_success: processor_chain([ + dup23, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg157 = msg("428", all36); + + var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg158 = msg("99", part209); + + var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup72, + ])); + + var msg159 = msg("100", part210); + + var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg160 = msg("101", part211); + + var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg161 = msg("102", part212); + + var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg162 = msg("103", part213); + + var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg163 = msg("104", part214); + + var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg164 = msg("105", part215); + + var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup71, + ])); + + var msg165 = msg("106", part216); + + var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup72, + ])); + + var msg166 = msg("107", part217); + + var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup72, + ])); + + var msg167 = msg("108", part218); + + var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup71, + ])); + + var msg168 = msg("109", part219); + + var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup72, + ])); + + var msg169 = msg("110", part220); + + var msg170 = msg("111:01", dup199); + + var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup72, + ])); + + var msg171 = msg("111", part221); + + var select57 = linear_select([ + msg170, + msg171, + ]); + + var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup72, + ])); + + var msg172 = msg("112", part222); + + var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup72, + ])); + + var msg173 = msg("113", part223); + + var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup72, + ])); + + var msg174 = msg("114", part224); + + var msg175 = msg("115:01", dup199); + + var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg176 = msg("115", part225); + + var select58 = linear_select([ + msg175, + msg176, + ]); + + var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg177 = msg("116", part226); + + var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg178 = msg("117", part227); + + var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg179 = msg("118", part228); + + var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup71, + ])); + + var msg180 = msg("119", part229); + + var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup71, + ])); + + var msg181 = msg("120", part230); + + var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup72, + ])); + + var msg182 = msg("121", part231); + + var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup71, + ])); + + var msg183 = msg("122", part232); + + var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup71, + ])); + + var msg184 = msg("123", part233); + + var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup72, + ])); + + var msg185 = msg("124", part234); + + var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup72, + ])); + + var msg186 = msg("125", part235); + + var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg187 = msg("1254", part236); + + var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg188 = msg("1256", part237); + + var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg189 = msg("1257", part238); + + var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup72, + ])); + + var msg190 = msg("126", part239); + + var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup72, + ])); + + var msg191 = msg("127", part240); + + var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, + ])); + + var msg192 = msg("128", part241); + + var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, + ])); + + var msg193 = msg("129", part242); + + var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, + ])); + + var msg194 = msg("130", part243); + + var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, + ])); + + var msg195 = msg("131", part244); + + var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, + ])); + + var msg196 = msg("132", part245); + + var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg197 = msg("133", part246); + + var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg198 = msg("134", part247); + + var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg199 = msg("135", part248); + + var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg200 = msg("136", part249); + + var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, + ])); + + var msg201 = msg("137", part250); + + var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, + ])); + + var msg202 = msg("138", part251); + + var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, + ])); + + var msg203 = msg("139", part252); + + var all37 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), + }); + + var msg204 = msg("139:01", all37); + + var select59 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("140", dup239); + + var msg206 = msg("141", dup239); + + var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg207 = msg("142", part253); + + var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg208 = msg("143", part254); + + var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg209 = msg("1431", part255); + + var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg210 = msg("144", part256); + + var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg211 = msg("145", part257); + + var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup92, + ])); + + var msg212 = msg("146", part258); + + var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup92, + ])); + + var msg213 = msg("147", part259); + + var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, + ])); + + var msg214 = msg("148", part260); + + var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, + ])); + + var msg215 = msg("1480", part261); + + var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, + ])); + + var msg216 = msg("149", part262); + + var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, + ])); + + var msg217 = msg("150", part263); + + var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, + ])); + + var msg218 = msg("151", part264); + + var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, + ])); + + var msg219 = msg("152", part265); + + var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), + ])); + + var msg220 = msg("153", part266); + + var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup64, + ])); + + var msg221 = msg("154", part267); + + var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg222 = msg("155", part268); + + var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg223 = msg("156", part269); + + var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, + ])); + + var msg224 = msg("157:01", part270); + + var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, + ])); + + var msg225 = msg("157", part271); + + var select60 = linear_select([ + msg224, + msg225, + ]); + + var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup92, + ])); + + var msg226 = msg("158", part272); + + var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, + ])); + + var msg227 = msg("159", part273); + + var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), + ])); + + var msg228 = msg("160", part274); + + var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup65, + ])); + + var msg229 = msg("161", part275); + + var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup33, + ])); + + var msg230 = msg("162", part276); + + var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, + ])); + + var msg231 = msg("163", part277); + + var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, + ])); + + var msg232 = msg("164", part278); + + var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, + ])); + + var msg233 = msg("165", part279); + + var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, + ])); + + var msg234 = msg("166", part280); + + var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg235 = msg("167", part281); + + var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg236 = msg("168", part282); + + var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, + ])); + + var msg237 = msg("169", part283); + + var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, + ])); + + var msg238 = msg("170", part284); + + var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup70, + ])); + + var msg239 = msg("171", part285); + + var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg240 = msg("171:01", part286); + + var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg241 = msg("171:02", part287); + + var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all38 = all_match({ + processors: [ + part288, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var msg242 = msg("171:03", all38); + + var select61 = linear_select([ + msg239, + msg240, + msg241, + msg242, + ]); + + var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup70, + ])); + + var msg243 = msg("172", part289); + + var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup70, + ])); + + var msg244 = msg("172:01", part290); + + var select62 = linear_select([ + msg243, + msg244, + ]); + + var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup70, + ])); + + var msg245 = msg("173", part291); + + var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup67, + ])); + + var msg246 = msg("174", part292); + + var all39 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var msg247 = msg("174:01", all39); + + var all40 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg248 = msg("174:02", all40); + + var all41 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg249 = msg("174:03", all41); + + var select63 = linear_select([ + msg246, + msg247, + msg248, + msg249, + ]); + + var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup67, + ])); + + var msg250 = msg("175", part293); + + var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup67, + ])); + + var msg251 = msg("175:01", part294); + + var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup67, + ])); + + var msg252 = msg("175:02", part295); + + var select64 = linear_select([ + msg250, + msg251, + msg252, + ]); + + var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup93, + ])); + + var msg253 = msg("176", part296); + + var msg254 = msg("177", dup196); + + var msg255 = msg("178", dup201); + + var msg256 = msg("179", dup196); + + var all42 = all_match({ + processors: [ + dup34, + dup185, + dup187, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg257 = msg("180", all42); + + var all43 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg258 = msg("180:01", all43); + + var select65 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("181", dup195); + + var all44 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup70, + ]), + }); + + var msg260 = msg("181:01", all44); + + var select66 = linear_select([ + msg259, + msg260, + ]); + + var msg261 = msg("193", dup240); + + var msg262 = msg("194", dup241); + + var msg263 = msg("195", dup241); + + var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var all45 = all_match({ + processors: [ + part297, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg264 = msg("196", all45); + + var all46 = all_match({ + processors: [ + dup101, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg265 = msg("196:01", all46); + + var select67 = linear_select([ + msg264, + msg265, + ]); + + var msg266 = msg("199", dup242); + + var msg267 = msg("200", dup243); + + var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup30, + ])); + + var msg268 = msg("235:02", part298); + + var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + + var all47 = all_match({ + processors: [ + part299, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg269 = msg("235", all47); + + var msg270 = msg("235:01", dup244); + + var select68 = linear_select([ + msg268, + msg269, + msg270, + ]); + + var msg271 = msg("236", dup244); + + var msg272 = msg("237", dup242); + + var msg273 = msg("238", dup242); + + var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg274 = msg("239", part300); + + var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg275 = msg("240", part301); + + var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup78, + ])); + + var msg276 = msg("241", part302); + + var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup78, + ])); + + var msg277 = msg("241:01", part303); + + var select69 = linear_select([ + msg276, + msg277, + ]); + + var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + + var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + + var select70 = linear_select([ + part304, + part305, + dup40, + ]); + + var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); + + var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + + var select71 = linear_select([ + part306, + part307, + dup36, + ]); + + var all48 = all_match({ + processors: [ + dup51, + select70, + dup41, + select71, + ], + on_success: processor_chain([ + dup78, + ]), + }); + + var msg278 = msg("242", all48); + + var msg279 = msg("252", dup205); + + var msg280 = msg("255", dup205); + + var msg281 = msg("257", dup205); + + var msg282 = msg("261:01", dup245); + + var msg283 = msg("261", dup205); + + var select72 = linear_select([ + msg282, + msg283, + ]); + + var msg284 = msg("262", dup245); + + var all49 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg285 = msg("273", all49); + + var msg286 = msg("328", dup246); + + var msg287 = msg("329", dup243); + + var msg288 = msg("346", dup205); + + var msg289 = msg("350", dup205); + + var msg290 = msg("351", dup205); + + var msg291 = msg("352", dup205); + + var msg292 = msg("353:01", dup201); + + var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, + ])); + + var msg293 = msg("353", part308); + + var select73 = linear_select([ + msg292, + msg293, + ]); + + var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, + ])); + + var msg294 = msg("354", part309); + + var msg295 = msg("355", dup206); + + var msg296 = msg("355:01", dup205); + + var select74 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("356", dup207); + + var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup93, + ])); + + var msg298 = msg("357", part310); + + var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var msg299 = msg("357:01", part311); + + var select75 = linear_select([ + msg298, + msg299, + ]); + + var msg300 = msg("358", dup208); + + var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), + ])); + + var msg301 = msg("371", part312); + + var msg302 = msg("371:01", dup209); + + var select76 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("372", dup205); + + var msg304 = msg("373", dup207); + + var msg305 = msg("401", dup247); + + var msg306 = msg("402", dup247); + + var msg307 = msg("406", dup208); + + var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var msg308 = msg("413", part313); + + var msg309 = msg("414", dup205); + + var msg310 = msg("438", dup248); + + var msg311 = msg("439", dup248); + + var all50 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), + }); + + var msg312 = msg("440", all50); + + var all51 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), + }); + + var msg313 = msg("441", all51); + + var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), + ])); + + var msg314 = msg("441:01", part314); + + var select77 = linear_select([ + msg313, + msg314, + ]); + + var all52 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), + }); + + var msg315 = msg("442", all52); + + var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + + var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + + var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + + var select78 = linear_select([ + part316, + part317, + ]); + + var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all53 = all_match({ + processors: [ + part315, + select78, + part318, + dup211, + dup119, + ], + on_success: processor_chain([ + dup67, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg316 = msg("446", all53); + + var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg317 = msg("477", part319); + + var all54 = all_match({ + processors: [ + dup73, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg318 = msg("509", all54); + + var all55 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var msg319 = msg("520", all55); + + var msg320 = msg("522", dup249); + + var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + + var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); + + var all56 = all_match({ + processors: [ + part320, + dup189, + part321, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg321 = msg("522:01", all56); + + var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + + var select79 = linear_select([ + part322, + dup46, + ]); + + var all57 = all_match({ + processors: [ + dup45, + select79, + dup17, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg322 = msg("522:02", all57); + + var select80 = linear_select([ + msg320, + msg321, + msg322, + ]); + + var msg323 = msg("523", dup249); + + var all58 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg324 = msg("524", all58); + + var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + + var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + + var select81 = linear_select([ + part323, + part324, + ]); + + var all59 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + select81, + dup47, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg325 = msg("524:01", all59); + + var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); + + var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); + + var select82 = linear_select([ + part326, + dup56, + ]); + + var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + + var all60 = all_match({ + processors: [ + part325, + select82, + part327, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), + }); + + var msg326 = msg("524:02", all60); + + var select83 = linear_select([ + msg324, + msg325, + msg326, + ]); + + var msg327 = msg("526", dup250); + + var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + + var select84 = linear_select([ + dup26, + part328, + dup46, + ]); + + var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); + + var select85 = linear_select([ + dup35, + part329, + ]); + + var all61 = all_match({ + processors: [ + dup73, + select84, + dup17, + select85, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg328 = msg("526:01", all61); + + var all62 = all_match({ + processors: [ + dup7, + dup213, + dup183, + dup121, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg329 = msg("526:02", all62); + + var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg330 = msg("526:03", part330); + + var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg331 = msg("526:04", part331); + + var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg332 = msg("526:05", part332); + + var select86 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + ]); + + var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + + var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); + + var select87 = linear_select([ + part334, + dup123, + ]); + + var all63 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + part333, + select87, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg333 = msg("537:01", all63); + + var all64 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + dup81, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg334 = msg("537:02", all64); + + var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); + + var select88 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + + var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); + + var select89 = linear_select([ + part339, + part340, + ]); + + var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); + + var select90 = linear_select([ + part341, + dup131, + part342, + dup132, + dup133, + ]); + + var all65 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select88, + part338, + select89, + dup218, + select90, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg335 = msg("537:08", all65); + + var select91 = linear_select([ + dup125, + dup124, + dup126, + dup38, + ]); + + var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); + + var select92 = linear_select([ + part343, + part344, + part345, + ]); + + var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var select93 = linear_select([ + part347, + dup131, + dup132, + dup133, + ]); + + var all66 = all_match({ + processors: [ + dup54, + select91, + dup217, + select92, + part346, + dup218, + select93, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg336 = msg("537:09", all66); + + var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); + + var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); + + var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); + + var select94 = linear_select([ + part348, + part349, + part350, + part351, + part352, + ]); + + var all67 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select94, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg337 = msg("537:07", all67); + + var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); + + var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); + + var select95 = linear_select([ + part354, + dup56, + ]); + + var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + + var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); + + var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); + + var select96 = linear_select([ + part356, + part357, + part358, + part359, + ]); + + var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); + + var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + + var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + + var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + + var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + + var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); + + var select97 = linear_select([ + part361, + part362, + part363, + part364, + part365, + ]); + + var all68 = all_match({ + processors: [ + part353, + select95, + part355, + select96, + part360, + select97, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg338 = msg("537", all68); + + var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + + var all69 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part366, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg339 = msg("537:04", all69); + + var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); + + var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + + var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); + + var select98 = linear_select([ + part368, + part369, + ]); + + var all70 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part367, + select98, + dup96, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg340 = msg("537:05", all70); + + var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + + var select99 = linear_select([ + part371, + part372, + part373, + ]); + + var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all71 = all_match({ + processors: [ + part370, + dup220, + dup139, + dup221, + select99, + part374, + dup222, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg341 = msg("537:10", all71); + + var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + + var select100 = linear_select([ + dup85, + part376, + part377, + ]); + + var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all72 = all_match({ + processors: [ + part375, + dup220, + dup139, + dup221, + select100, + part378, + dup222, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg342 = msg("537:03", all72); + + var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + + var all73 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part379, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg343 = msg("537:06", all73); + + var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg344 = msg("537:11", part380); + + var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg345 = msg("537:12", part381); + + var select101 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + ]); + + var msg346 = msg("538", dup240); + + var msg347 = msg("549", dup243); + + var msg348 = msg("557", dup243); + + var all74 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), + }); + + var msg349 = msg("558", all74); + + var msg350 = msg("561", dup246); + + var msg351 = msg("562", dup246); + + var msg352 = msg("563", dup246); + + var all75 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), + }); + + var msg353 = msg("583", all75); + + var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg354 = msg("597:01", part382); + + var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, + ])); + + var msg355 = msg("597:02", part383); + + var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); + + var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var all76 = all_match({ + processors: [ + part384, + dup198, + part385, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg356 = msg("597:03", all76); + + var select102 = linear_select([ + msg354, + msg355, + msg356, + ]); + + var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, + ])); + + var msg357 = msg("598", part386); + + var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); + + var all77 = all_match({ + processors: [ + dup148, + dup192, + part387, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg358 = msg("598:01", all77); + + var all78 = all_match({ + processors: [ + dup148, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg359 = msg("598:02", all78); + + var select103 = linear_select([ + msg357, + msg358, + msg359, + ]); + + var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg360 = msg("602:01", part388); + + var msg361 = msg("602:02", dup250); + + var all79 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg362 = msg("602:03", all79); + + var select104 = linear_select([ + msg360, + msg361, + msg362, + ]); + + var msg363 = msg("605", dup208); + + var all80 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup211, + dup119, + ], + on_success: processor_chain([ + dup93, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg364 = msg("606", all80); + + var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + + var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + + var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + + var select105 = linear_select([ + part390, + part391, + ]); + + var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + + var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + + var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + + var select106 = linear_select([ + part393, + part394, + ]); + + var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + + var select107 = linear_select([ + part395, + dup154, + dup155, + ]); + + var all81 = all_match({ + processors: [ + part389, + select105, + part392, + select106, + dup153, + select107, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg365 = msg("608", all81); + + var msg366 = msg("616", dup206); + + var msg367 = msg("658", dup201); + + var msg368 = msg("710", dup224); + + var msg369 = msg("712:02", dup251); + + var msg370 = msg("712", dup224); + + var all82 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup156, + ]), + }); + + var msg371 = msg("712:01", all82); + + var select108 = linear_select([ + msg369, + msg370, + msg371, + ]); + + var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg372 = msg("713:01", part396); + + var msg373 = msg("713:04", dup251); + + var msg374 = msg("713:02", dup224); + + var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg375 = msg("713:03", part397); + + var select109 = linear_select([ + msg372, + msg373, + msg374, + msg375, + ]); + + var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg376 = msg("760", part398); + + var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); + + var all83 = all_match({ + processors: [ + part399, + dup182, + dup10, + dup202, + part400, + ], + on_success: processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg377 = msg("760:01", all83); + + var select110 = linear_select([ + msg376, + msg377, + ]); + + var msg378 = msg("766", dup228); + + var msg379 = msg("860", dup228); + + var msg380 = msg("860:01", dup229); + + var select111 = linear_select([ + msg379, + msg380, + ]); + + var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + + var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); + + var select112 = linear_select([ + part402, + part403, + ]); + + var all84 = all_match({ + processors: [ + part401, + select112, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg381 = msg("866", all84); + + var msg382 = msg("866:01", dup229); + + var select113 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("867", dup228); + + var msg384 = msg("867:01", dup229); + + var select114 = linear_select([ + msg383, + msg384, + ]); + + var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, + ])); + + var msg385 = msg("882", part404); + + var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, + ])); + + var msg386 = msg("882:01", part405); + + var select115 = linear_select([ + msg385, + msg386, + ]); + + var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup165, + ])); + + var msg387 = msg("888", part406); + + var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup165, + ])); + + var msg388 = msg("888:01", part407); + + var select116 = linear_select([ + msg387, + msg388, + ]); + + var all85 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup165, + ]), + }); + + var msg389 = msg("892", all85); + + var msg390 = msg("904", dup228); + + var msg391 = msg("905", dup228); + + var msg392 = msg("906", dup228); + + var msg393 = msg("907", dup228); + + var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); + + var select117 = linear_select([ + part408, + dup167, + ]); + + var all86 = all_match({ + processors: [ + dup166, + select117, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg394 = msg("908", all86); + + var msg395 = msg("909", dup228); + + var msg396 = msg("914", dup230); + + var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup72, + ])); + + var msg397 = msg("931", part409); + + var msg398 = msg("657", dup230); + + var all87 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg399 = msg("657:01", all87); + + var select118 = linear_select([ + msg398, + msg399, + ]); + + var msg400 = msg("403", dup209); + + var msg401 = msg("534", dup184); + + var msg402 = msg("994", dup231); + + var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg403 = msg("243", part410); + + var msg404 = msg("995", dup184); + + var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup59, + dup61, + dup62, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg405 = msg("997", part411); + + var msg406 = msg("998", dup231); + + var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup11, + ])); + + var msg407 = msg("998:01", part412); + + var select119 = linear_select([ + msg406, + msg407, + ]); + + var msg408 = msg("1110", dup232); + + var msg409 = msg("565", dup232); + + var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup62, + ])); + + var msg410 = msg("404", part413); + + var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + + var select120 = linear_select([ + part414, + dup58, + ]); + + var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + + var all88 = all_match({ + processors: [ + dup87, + select120, + part415, + ], + on_success: processor_chain([ + dup111, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg411 = msg("267:01", all88); + + var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup62, + ])); + + var msg412 = msg("267", part416); + + var select121 = linear_select([ + msg411, + msg412, + ]); + + var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg413 = msg("263", part417); + + var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg414 = msg("264", part418); + + var msg415 = msg("412", dup209); + + var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg416 = msg("793", part419); + + var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup24, + ])); + + var msg417 = msg("805", part420); + + var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg418 = msg("809", part421); + + var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg419 = msg("809:01", part422); + + var select122 = linear_select([ + msg418, + msg419, + ]); + + var msg420 = msg("935", dup230); + + var msg421 = msg("614", dup233); + + var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var all89 = all_match({ + processors: [ + part423, + dup211, + dup119, + ], + on_success: processor_chain([ + dup66, + dup44, + ]), + }); + + var msg422 = msg("748", all89); + + var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + + var select123 = linear_select([ + part425, + dup118, + ]); + + var all90 = all_match({ + processors: [ + part424, + select123, + dup119, + ], + on_success: processor_chain([ + dup171, + dup44, + ]), + }); + + var msg423 = msg("794", all90); + + var msg424 = msg("1086", dup233); + + var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg425 = msg("1430", part426); + + var msg426 = msg("1149", dup233); + + var msg427 = msg("1159", dup233); + + var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg428 = msg("1195", part427); + + var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup171, + dup44, + ])); + + var msg429 = msg("1195:01", part428); + + var select124 = linear_select([ + msg428, + msg429, + ]); + + var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg430 = msg("1226", part429); + + var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg431 = msg("1222", part430); + + var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg432 = msg("1154", part431); + + var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all91 = all_match({ + processors: [ + part432, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + dup24, + ]), + }); + + var msg433 = msg("1154:01", all91); + + var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup172, + dup11, + ])); + + var msg434 = msg("1154:02", part433); + + var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var select125 = linear_select([ + part435, + dup79, + ]); + + var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all92 = all_match({ + processors: [ + part434, + select125, + part436, + ], + on_success: processor_chain([ + dup172, + dup11, + ]), + }); + + var msg435 = msg("1154:03", all92); + + var select126 = linear_select([ + msg432, + msg433, + msg434, + msg435, + ]); + + var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup173, + ])); + + var msg436 = msg("msg", part437); + + var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup173, + ])); + + var msg437 = msg("src", part438); + + var all93 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg438 = msg("1235", all93); + + var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + + var all94 = all_match({ + processors: [ + dup7, + dup185, + dup10, + dup202, + part439, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg439 = msg("1197", all94); + + var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all95 = all_match({ + processors: [ + part440, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg440 = msg("1199", all95); + + var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg441 = msg("1199:01", part441); + + var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg442 = msg("1199:02", part442); + + var select127 = linear_select([ + msg440, + msg441, + msg442, + ]); + + var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + + var all96 = all_match({ + processors: [ + part443, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg443 = msg("1155", all96); + + var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup111, + ])); + + var msg444 = msg("1155:01", part444); + + var select128 = linear_select([ + msg443, + msg444, + ]); + + var all97 = all_match({ + processors: [ + dup176, + dup213, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg445 = msg("1198", all97); + + var all98 = all_match({ + processors: [ + dup7, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg446 = msg("714", all98); + + var msg447 = msg("709", dup252); + + var msg448 = msg("1005", dup252); + + var msg449 = msg("1003", dup252); + + var msg450 = msg("1007", dup253); + + var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg451 = msg("1008", part445); + + var msg452 = msg("708", dup253); + + var all99 = all_match({ + processors: [ + dup176, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg453 = msg("1201", all99); + + var msg454 = msg("1201:01", dup253); + + var select129 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("654", dup234); + + var msg456 = msg("670", dup234); + + var msg457 = msg("884", dup253); + + var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg458 = msg("1153", part446); + + var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); + + var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); + + var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); + + var select130 = linear_select([ + part447, + part448, + part449, + ]); + + var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + + var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var select131 = linear_select([ + part451, + dup26, + ]); + + var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + + var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + + var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + + var select132 = linear_select([ + part452, + part453, + part454, + ]); + + var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + + var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); + + var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); + + var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); + + var select133 = linear_select([ + part456, + part457, + part458, + ]); + + var all100 = all_match({ + processors: [ + dup54, + select130, + part450, + select131, + select132, + part455, + select133, + dup123, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg459 = msg("1153:01", all100); + + var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); + + var select134 = linear_select([ + part459, + part460, + ]); + + var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + + var all101 = all_match({ + processors: [ + dup82, + select134, + part461, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg460 = msg("1153:02", all101); + + var select135 = linear_select([ + msg458, + msg459, + msg460, + ]); + + var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg461 = msg("1107", part462); + + var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + + var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); + + var select136 = linear_select([ + part464, + part465, + ]); + + var all102 = all_match({ + processors: [ + part463, + select136, + dup153, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg462 = msg("1220", all102); + + var all103 = all_match({ + processors: [ + dup149, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg463 = msg("1230", all103); + + var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg464 = msg("1231", part466); + + var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg465 = msg("1233", part467); + + var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + + var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + + var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + + var select137 = linear_select([ + part469, + part470, + ]); + + var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + + var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); + + var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); + + var select138 = linear_select([ + part472, + part473, + dup38, + ]); + + var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); + + var all104 = all_match({ + processors: [ + part468, + select137, + part471, + select138, + part474, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg466 = msg("1079", all104); + + var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg467 = msg("1079:01", part475); + + var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg468 = msg("1079:02", part476); + + var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg469 = msg("1079:03", part477); + + var select139 = linear_select([ + msg466, + msg467, + msg468, + msg469, + ]); + + var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + + var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var select140 = linear_select([ + dup8, + part479, + ]); + + var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var select141 = linear_select([ + dup135, + part480, + ]); + + var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); + + var all105 = all_match({ + processors: [ + part478, + select140, + select141, + part481, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg470 = msg("1080", all105); + + var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg471 = msg("580", part482); + + var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + + var all106 = all_match({ + processors: [ + part483, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg472 = msg("1369", all106); + + var all107 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg473 = msg("1370", all107); + + var all108 = all_match({ + processors: [ + dup149, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg474 = msg("1371", all108); + + var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); + + var select142 = linear_select([ + dup167, + part484, + ]); + + var all109 = all_match({ + processors: [ + dup166, + select142, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg475 = msg("1387", all109); + + var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); + + var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); + + var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); + + var select143 = linear_select([ + part486, + part487, + ]); + + var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); + + var select144 = linear_select([ + part488, + dup154, + dup155, + ]); + + var all110 = all_match({ + processors: [ + part485, + select143, + dup153, + select144, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg476 = msg("1391", all110); + + var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg477 = msg("1253", part489); + + var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg478 = msg("1009", part490); + + var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); + + var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); + + var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); + + var select145 = linear_select([ + part492, + part493, + ]); + + var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + + var all111 = all_match({ + processors: [ + part491, + select145, + part494, + ], + on_success: processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg479 = msg("910", all111); + + var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup22, + dup44, + ])); + + var msg480 = msg("m:01", part495); + + var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg481 = msg("1011", part496); + + var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup172, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg482 = msg("609", part497); + + var msg483 = msg("796", dup237); + + var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg484 = msg("880", part498); + + var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg485 = msg("1309", part499); + + var msg486 = msg("1310", dup237); + + var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); + + var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); + + var select146 = linear_select([ + part501, + part502, + ]); + + var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + + var all112 = all_match({ + processors: [ + part500, + select146, + part503, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg487 = msg("1232", all112); + + var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all113 = all_match({ + processors: [ + part504, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg488 = msg("1447", all113); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select139, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select57, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select58, + "1153": select135, + "1154": select126, + "1155": select128, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select124, + "1197": msg439, + "1198": msg445, + "1199": select127, + "12": select4, + "120": msg181, + "1201": select129, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select59, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select60, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select61, + "172": select62, + "173": msg245, + "174": select63, + "175": select64, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select65, + "181": select66, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select67, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select68, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select69, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select72, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select121, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select18, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select73, + "354": msg294, + "355": select74, + "356": msg297, + "357": select75, + "358": msg300, + "36": select21, + "37": select23, + "371": select76, + "372": msg303, + "373": msg304, + "38": select25, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select26, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select77, + "442": msg315, + "446": msg316, + "45": select27, + "46": select28, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select80, + "523": msg323, + "524": select83, + "526": select86, + "53": msg88, + "534": msg401, + "537": select101, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select102, + "598": select103, + "6": select3, + "60": msg90, + "602": select104, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select29, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select118, + "658": msg367, + "66": msg97, + "67": select30, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select32, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select108, + "713": select109, + "714": msg446, + "72": select33, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select110, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select122, + "81": msg114, + "82": select34, + "83": select35, + "84": msg122, + "860": select111, + "866": select113, + "867": select114, + "87": select37, + "88": select38, + "880": msg484, + "882": select115, + "884": msg457, + "888": select116, + "89": select40, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select44, + "98": select56, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select119, + "m": msg480, + "msg": msg436, + "src": msg437, + }), + ]); + + var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var select147 = linear_select([ + dup8, + dup9, + ]); + + var select148 = linear_select([ + dup15, + dup16, + ]); + + var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select149 = linear_select([ + dup26, + dup27, + ]); + + var select150 = linear_select([ + dup28, + dup29, + ]); + + var select151 = linear_select([ + dup35, + dup36, + ]); + + var select152 = linear_select([ + dup37, + dup38, + ]); + + var select153 = linear_select([ + dup39, + dup40, + ]); + + var select154 = linear_select([ + dup26, + dup46, + ]); + + var select155 = linear_select([ + dup48, + dup49, + ]); + + var select156 = linear_select([ + dup52, + dup53, + ]); + + var select157 = linear_select([ + dup55, + dup56, + ]); + + var select158 = linear_select([ + dup57, + dup58, + ]); + + var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var select159 = linear_select([ + dup75, + dup76, + ]); + + var select160 = linear_select([ + dup83, + dup84, + ]); + + var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var select161 = linear_select([ + dup94, + dup95, + ]); + + var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var select162 = linear_select([ + dup98, + dup99, + ]); + + var select163 = linear_select([ + dup86, + dup102, + ]); + + var select164 = linear_select([ + dup103, + dup104, + ]); + + var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select165 = linear_select([ + dup114, + dup115, + ]); + + var select166 = linear_select([ + dup117, + dup118, + ]); + + var select167 = linear_select([ + dup43, + dup42, + ]); + + var select168 = linear_select([ + dup8, + dup27, + ]); + + var select169 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var select170 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var select171 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var select172 = linear_select([ + dup127, + dup128, + ]); + + var select173 = linear_select([ + dup129, + dup130, + ]); + + var select174 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var select175 = linear_select([ + dup138, + dup56, + ]); + + var select176 = linear_select([ + dup140, + dup141, + ]); + + var select177 = linear_select([ + dup142, + dup143, + ]); + + var select178 = linear_select([ + dup150, + dup151, + ]); + + var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var select179 = linear_select([ + dup158, + dup38, + ]); + + var select180 = linear_select([ + dup160, + dup161, + ]); + + var select181 = linear_select([ + dup162, + dup163, + ]); + + var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var select182 = linear_select([ + dup177, + dup178, + ]); + + var select183 = linear_select([ + dup180, + dup181, + ]); + + var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var all114 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all115 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var all116 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all117 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all118 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var all119 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all120 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var all121 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var all122 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var all123 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var all124 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var all125 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var all126 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all127 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var all128 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all129 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..62b0a8c15e --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/agent/stream/udp.yml.hbs @@ -0,0 +1,9736 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + + var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup12 = setc("eventcategory","1502010000"); + + var dup13 = setc("eventcategory","1502020000"); + + var dup14 = setc("eventcategory","1002010000"); + + var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var dup18 = setf("hostip","hhostip"); + + var dup19 = setf("id","hid"); + + var dup20 = setf("serial_number","hserial_number"); + + var dup21 = setf("category","hcategory"); + + var dup22 = setf("severity","hseverity"); + + var dup23 = setc("eventcategory","1805010000"); + + var dup24 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], + }); + + var dup25 = setc("eventcategory","1302000000"); + + var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var dup30 = setc("eventcategory","1401050100"); + + var dup31 = setc("eventcategory","1401030000"); + + var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var dup33 = setc("eventcategory","1301020000"); + + var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var dup44 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var dup59 = setc("ec_subject","NetworkComm"); + + var dup60 = setc("ec_activity","Deny"); + + var dup61 = setc("ec_theme","Communication"); + + var dup62 = setf("msg","$MSG"); + + var dup63 = setc("action","dropped"); + + var dup64 = setc("eventcategory","1608010000"); + + var dup65 = setc("eventcategory","1302010000"); + + var dup66 = setc("eventcategory","1301000000"); + + var dup67 = setc("eventcategory","1001000000"); + + var dup68 = setc("eventcategory","1003030000"); + + var dup69 = setc("eventcategory","1003050000"); + + var dup70 = setc("eventcategory","1103000000"); + + var dup71 = setc("eventcategory","1603110000"); + + var dup72 = setc("eventcategory","1605020000"); + + var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup78 = setc("eventcategory","1801000000"); + + var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup88 = setf("id","hfld1"); + + var dup89 = setc("eventcategory","1001020309"); + + var dup90 = setc("eventcategory","1303000000"); + + var dup91 = setc("eventcategory","1801010100"); + + var dup92 = setc("eventcategory","1604010000"); + + var dup93 = setc("eventcategory","1002020000"); + + var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var dup97 = setc("eventcategory","1001010000"); + + var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var dup106 = setc("eventcategory","1401060000"); + + var dup107 = setc("eventcategory","1804000000"); + + var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var dup109 = setc("eventcategory","1401070000"); + + var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var dup111 = setc("eventcategory","1801030000"); + + var dup112 = setc("eventcategory","1402020300"); + + var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var dup116 = setc("eventcategory","1402000000"); + + var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var dup120 = setc("eventcategory","1803020000"); + + var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var dup144 = setc("event_description","Connection Closed"); + + var dup145 = setc("eventcategory","1801020000"); + + var dup146 = setc("ec_activity","Permit"); + + var dup147 = setc("action","allowed"); + + var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var dup156 = setc("eventcategory","1001030500"); + + var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var dup165 = setc("eventcategory","1801010000"); + + var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup170 = setc("eventcategory","1003010000"); + + var dup171 = setc("eventcategory","1609000000"); + + var dup172 = setc("eventcategory","1204000000"); + + var dup173 = setc("eventcategory","1602000000"); + + var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var dup175 = setc("eventcategory","1803000000"); + + var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var dup182 = linear_select([ + dup8, + dup9, + ]); + + var dup183 = linear_select([ + dup15, + dup16, + ]); + + var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup185 = linear_select([ + dup26, + dup27, + ]); + + var dup186 = linear_select([ + dup28, + dup29, + ]); + + var dup187 = linear_select([ + dup35, + dup36, + ]); + + var dup188 = linear_select([ + dup37, + dup38, + ]); + + var dup189 = linear_select([ + dup39, + dup40, + ]); + + var dup190 = linear_select([ + dup26, + dup46, + ]); + + var dup191 = linear_select([ + dup48, + dup49, + ]); + + var dup192 = linear_select([ + dup52, + dup53, + ]); + + var dup193 = linear_select([ + dup55, + dup56, + ]); + + var dup194 = linear_select([ + dup57, + dup58, + ]); + + var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var dup197 = linear_select([ + dup75, + dup76, + ]); + + var dup198 = linear_select([ + dup83, + dup84, + ]); + + var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var dup200 = linear_select([ + dup94, + dup95, + ]); + + var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var dup202 = linear_select([ + dup98, + dup99, + ]); + + var dup203 = linear_select([ + dup86, + dup102, + ]); + + var dup204 = linear_select([ + dup103, + dup104, + ]); + + var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup210 = linear_select([ + dup114, + dup115, + ]); + + var dup211 = linear_select([ + dup117, + dup118, + ]); + + var dup212 = linear_select([ + dup43, + dup42, + ]); + + var dup213 = linear_select([ + dup8, + dup27, + ]); + + var dup214 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var dup215 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var dup216 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var dup217 = linear_select([ + dup127, + dup128, + ]); + + var dup218 = linear_select([ + dup129, + dup130, + ]); + + var dup219 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var dup220 = linear_select([ + dup138, + dup56, + ]); + + var dup221 = linear_select([ + dup140, + dup141, + ]); + + var dup222 = linear_select([ + dup142, + dup143, + ]); + + var dup223 = linear_select([ + dup150, + dup151, + ]); + + var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var dup225 = linear_select([ + dup158, + dup38, + ]); + + var dup226 = linear_select([ + dup160, + dup161, + ]); + + var dup227 = linear_select([ + dup162, + dup163, + ]); + + var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var dup235 = linear_select([ + dup177, + dup178, + ]); + + var dup236 = linear_select([ + dup180, + dup181, + ]); + + var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var dup238 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup239 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var dup240 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup241 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup242 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var dup243 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup244 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var dup245 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var dup246 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var dup247 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var dup248 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var dup249 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var dup250 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup251 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var dup252 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup253 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, + ])); + + var msg1 = msg("4", part1); + + var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, + ])); + + var msg2 = msg("5", part2); + + var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg3 = msg("5:01", part3); + + var select2 = linear_select([ + msg2, + msg3, + ]); + + var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, + ])); + + var msg4 = msg("6", part4); + + var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg5 = msg("6:01", part5); + + var select3 = linear_select([ + msg4, + msg5, + ]); + + var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, + ])); + + var msg6 = msg("7", part6); + + var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, + ])); + + var msg7 = msg("8", part7); + + var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, + ])); + + var msg8 = msg("9", part8); + + var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, + ])); + + var msg9 = msg("10", part9); + + var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, + ])); + + var msg10 = msg("11", part10); + + var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, + ])); + + var msg11 = msg("12", part11); + + var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, + ])); + + var msg12 = msg("12:01", part12); + + var select4 = linear_select([ + msg11, + msg12, + ]); + + var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, + ])); + + var msg13 = msg("13", part13); + + var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); + + var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); + + var select5 = linear_select([ + part14, + part15, + ]); + + var all1 = all_match({ + processors: [ + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), + }); + + var msg14 = msg("14", all1); + + var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); + + var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); + + var select6 = linear_select([ + part16, + part17, + ]); + + var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); + + var all2 = all_match({ + processors: [ + dup7, + dup182, + dup10, + select6, + part18, + ], + on_success: processor_chain([ + dup6, + ]), + }); + + var msg15 = msg("14:01", all2); + + var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg16 = msg("14:02", part19); + + var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg17 = msg("14:03", part20); + + var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg18 = msg("14:04", part21); + + var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg19 = msg("14:05", part22); + + var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + ]); + + var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, + ])); + + var msg20 = msg("15", part23); + + var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, + ])); + + var msg21 = msg("16", part24); + + var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, + ])); + + var msg22 = msg("17", part25); + + var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, + ])); + + var msg23 = msg("18", part26); + + var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, + ])); + + var msg24 = msg("19", part27); + + var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, + ])); + + var msg25 = msg("20", part28); + + var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, + ])); + + var msg26 = msg("21", part29); + + var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, + ])); + + var msg27 = msg("22", part30); + + var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, + ])); + + var msg28 = msg("23", part31); + + var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + + var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + + var select8 = linear_select([ + part33, + part34, + ]); + + var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); + + var all3 = all_match({ + processors: [ + part32, + dup183, + dup17, + select8, + part35, + ], + on_success: processor_chain([ + dup14, + ]), + }); + + var msg29 = msg("23:01", all3); + + var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, + ])); + + var msg30 = msg("23:02", part36); + + var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); + + var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); + + var select9 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + + var all4 = all_match({ + processors: [ + part37, + select9, + part40, + ], + on_success: processor_chain([ + dup14, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg31 = msg("23:03", all4); + + var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, + ]); + + var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, + ])); + + var msg32 = msg("24", part41); + + var msg33 = msg("24:01", dup184); + + var select11 = linear_select([ + msg32, + msg33, + ]); + + var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg34 = msg("25", part42); + + var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg35 = msg("26", part43); + + var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg36 = msg("27", part44); + + var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, + ])); + + var msg37 = msg("28", part45); + + var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, + ])); + + var msg38 = msg("28:01", part46); + + var select12 = linear_select([ + msg37, + msg38, + ]); + + var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, + ])); + + var msg39 = msg("29", part47); + + var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var all5 = all_match({ + processors: [ + part48, + dup185, + dup186, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg40 = msg("29:01", all5); + + var select13 = linear_select([ + msg39, + msg40, + ]); + + var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg41 = msg("30", part49); + + var msg42 = msg("30:01", dup238); + + var select14 = linear_select([ + msg41, + msg42, + ]); + + var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, + ])); + + var msg43 = msg("31", part50); + + var all6 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup25, + ]), + }); + + var msg44 = msg("31:01", all6); + + var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg45 = msg("31:02", part51); + + var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg46 = msg("31:03", part52); + + var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg47 = msg("31:04", part53); + + var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, + ]); + + var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg48 = msg("32", part54); + + var msg49 = msg("32:01", dup238); + + var select16 = linear_select([ + msg48, + msg49, + ]); + + var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup33, + ])); + + var msg50 = msg("33", part55); + + var all7 = all_match({ + processors: [ + dup34, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var msg51 = msg("33:01", all7); + + var select17 = linear_select([ + msg50, + msg51, + ]); + + var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, + ])); + + var msg52 = msg("34", part56); + + var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), + ])); + + var msg53 = msg("35", part57); + + var all8 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), + }); + + var msg54 = msg("35:01", all8); + + var select18 = linear_select([ + msg53, + msg54, + ]); + + var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, + ])); + + var msg55 = msg("36", part58); + + var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + + var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); + + var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var select19 = linear_select([ + part61, + dup42, + dup43, + ]); + + var all9 = all_match({ + processors: [ + part59, + dup188, + part60, + dup189, + dup41, + dup183, + dup17, + select19, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg56 = msg("36:01", all9); + + var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); + + var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); + + var select20 = linear_select([ + part62, + part63, + ]); + + var all10 = all_match({ + processors: [ + dup45, + dup190, + dup17, + dup183, + dup17, + select20, + dup47, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg57 = msg("36:02", all10); + + var select21 = linear_select([ + msg55, + msg56, + msg57, + ]); + + var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg58 = msg("37", part64); + + var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + + var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); + + var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var all11 = all_match({ + processors: [ + part65, + dup188, + part66, + select22, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg59 = msg("37:01", all11); + + var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, + ])); + + var msg60 = msg("37:02", part69); + + var all12 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg61 = msg("37:03", all12); + + var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, + ])); + + var msg62 = msg("37:04", part70); + + var select23 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + ]); + + var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg63 = msg("38", part71); + + var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); + + var select24 = linear_select([ + part72, + dup42, + ]); + + var all13 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup183, + dup17, + select24, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg64 = msg("38:01", all13); + + var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + + var all14 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup192, + part73, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg65 = msg("38:02", all14); + + var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + + var all15 = all_match({ + processors: [ + dup54, + dup193, + part74, + dup194, + part75, + ], + on_success: processor_chain([ + dup5, + dup11, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg66 = msg("38:03", all15); + + var select25 = linear_select([ + msg63, + msg64, + msg65, + msg66, + ]); + + var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg67 = msg("39", part76); + + var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg68 = msg("40", part77); + + var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg69 = msg("41:01", part78); + + var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, + ])); + + var msg70 = msg("41:02", part79); + + var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, + ])); + + var msg71 = msg("41:03", part80); + + var select26 = linear_select([ + msg69, + msg70, + msg71, + ]); + + var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, + ])); + + var msg72 = msg("42", part81); + + var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, + ])); + + var msg73 = msg("43", part82); + + var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, + ])); + + var msg74 = msg("44", part83); + + var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, + ])); + + var msg75 = msg("45", part84); + + var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, + ])); + + var msg76 = msg("45:01", part85); + + var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg77 = msg("45:02", part86); + + var select27 = linear_select([ + msg75, + msg76, + msg77, + ]); + + var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg78 = msg("46:01", part87); + + var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, + ])); + + var msg79 = msg("46:02", part88); + + var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg80 = msg("46", part89); + + var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all16 = all_match({ + processors: [ + part90, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg81 = msg("46:03", all16); + + var select28 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, + ])); + + var msg82 = msg("47", part91); + + var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg83 = msg("48", part92); + + var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, + ])); + + var msg84 = msg("49", part93); + + var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, + ])); + + var msg85 = msg("50", part94); + + var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg86 = msg("51", part95); + + var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, + ])); + + var msg87 = msg("52", part96); + + var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, + ])); + + var msg88 = msg("53", part97); + + var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup64, + ])); + + var msg89 = msg("58", part98); + + var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, + ])); + + var msg90 = msg("60", part99); + + var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, + ])); + + var msg91 = msg("61", part100); + + var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup65, + ])); + + var msg92 = msg("62", part101); + + var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup66, + ])); + + var msg93 = msg("63", part102); + + var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg94 = msg("63:01", part103); + + var select29 = linear_select([ + msg93, + msg94, + ]); + + var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, + ])); + + var msg95 = msg("64", part104); + + var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg96 = msg("65", part105); + + var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg97 = msg("66", part106); + + var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup66, + ])); + + var msg98 = msg("67", part107); + + var all17 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg99 = msg("67:01", all17); + + var select30 = linear_select([ + msg98, + msg99, + ]); + + var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup66, + ])); + + var msg100 = msg("68", part108); + + var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup66, + ])); + + var msg101 = msg("69", part109); + + var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup66, + ])); + + var msg102 = msg("70", part110); + + var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); + + var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); + + var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); + + var select31 = linear_select([ + part112, + part113, + ]); + + var all18 = all_match({ + processors: [ + part111, + select31, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg103 = msg("70:01", all18); + + var select32 = linear_select([ + msg102, + msg103, + ]); + + var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg104 = msg("72", part114); + + var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup67, + ])); + + var msg105 = msg("72:01", part115); + + var select33 = linear_select([ + msg104, + msg105, + ]); + + var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg106 = msg("73", part116); + + var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg107 = msg("74", part117); + + var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg108 = msg("75", part118); + + var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg109 = msg("76", part119); + + var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg110 = msg("77", part120); + + var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg111 = msg("78", part121); + + var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg112 = msg("79", part122); + + var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg113 = msg("80", part123); + + var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg114 = msg("81", part124); + + var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg115 = msg("82", part125); + + var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup70, + ])); + + var msg116 = msg("82:02", part126); + + var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup70, + ])); + + var msg117 = msg("82:03", part127); + + var msg118 = msg("82:01", dup195); + + var select34 = linear_select([ + msg115, + msg116, + msg117, + msg118, + ]); + + var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg119 = msg("83", part128); + + var msg120 = msg("83:01", dup196); + + var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg121 = msg("83:02", part129); + + var select35 = linear_select([ + msg119, + msg120, + msg121, + ]); + + var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + + var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + + var select36 = linear_select([ + part130, + part131, + ]); + + var all19 = all_match({ + processors: [ + select36, + ], + on_success: processor_chain([ + dup71, + setc("action","Failed to resolve name"), + ]), + }); + + var msg122 = msg("84", all19); + + var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup72, + ])); + + var msg123 = msg("87", part132); + + var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup72, + ])); + + var msg124 = msg("87:01", part133); + + var select37 = linear_select([ + msg123, + msg124, + ]); + + var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup66, + ])); + + var msg125 = msg("88", part134); + + var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg126 = msg("88:01", part135); + + var select38 = linear_select([ + msg125, + msg126, + ]); + + var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg127 = msg("89", part136); + + var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); + + var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); + + var select39 = linear_select([ + part137, + part138, + ]); + + var all20 = all_match({ + processors: [ + dup73, + select39, + ], + on_success: processor_chain([ + dup72, + ]), + }); + + var msg128 = msg("89:01", all20); + + var select40 = linear_select([ + msg127, + msg128, + ]); + + var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup72, + ])); + + var msg129 = msg("90", part139); + + var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup72, + ])); + + var msg130 = msg("91", part140); + + var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg131 = msg("92", part141); + + var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, + ])); + + var msg132 = msg("93", part142); + + var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, + ])); + + var msg133 = msg("94", part143); + + var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, + ])); + + var msg134 = msg("95", part144); + + var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, + ])); + + var msg135 = msg("96", part145); + + var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, + ])); + + var msg136 = msg("97", part146); + + var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); + + var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + + var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + + var select41 = linear_select([ + part148, + part149, + ]); + + var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); + + var all21 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part147, + select41, + dup197, + part150, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg137 = msg("97:01", all21); + + var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); + + var all22 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part151, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg138 = msg("97:02", all22); + + var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + + var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all23 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part152, + dup197, + part153, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg139 = msg("97:03", all23); + + var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); + + var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all24 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part154, + dup197, + part155, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg140 = msg("97:04", all24); + + var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + + var all25 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part156, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg141 = msg("97:05", all25); + + var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); + + var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); + + var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); + + var select42 = linear_select([ + part158, + part159, + ]); + + var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all26 = all_match({ + processors: [ + part157, + select42, + part160, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg142 = msg("97:06", all26); + + var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); + + var select43 = linear_select([ + part162, + dup79, + ]); + + var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all27 = all_match({ + processors: [ + part161, + select43, + part163, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg143 = msg("97:07", all27); + + var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg144 = msg("97:08", part164); + + var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg145 = msg("97:09", part165); + + var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg146 = msg("97:10", part166); + + var select44 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); + + var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); + + var select45 = linear_select([ + part168, + part169, + part170, + ]); + + var all28 = all_match({ + processors: [ + dup54, + dup193, + part167, + select45, + ], + on_success: processor_chain([ + dup78, + dup59, + setc("ec_activity","Stop"), + dup61, + dup62, + dup11, + setc("action","Opened"), + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg147 = msg("98", all28); + + var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg148 = msg("98:07", part171); + + var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); + + var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + + var select46 = linear_select([ + part173, + dup56, + ]); + + var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + + var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + + var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + + var select47 = linear_select([ + part175, + part176, + ]); + + var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + + var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + + var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + + var select48 = linear_select([ + part177, + part178, + part179, + ]); + + var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); + + var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); + + var select49 = linear_select([ + dup80, + part181, + part182, + ]); + + var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); + + var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var select50 = linear_select([ + part183, + part184, + part185, + part186, + dup81, + dup43, + ]); + + var all29 = all_match({ + processors: [ + part172, + select46, + part174, + select47, + select48, + part180, + select49, + select50, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg149 = msg("98:01", all29); + + var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); + + var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); + + var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); + + var select51 = linear_select([ + part187, + part188, + part189, + ]); + + var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); + + var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); + + var select52 = linear_select([ + part191, + dup56, + ]); + + var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); + + var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var select53 = linear_select([ + part193, + part194, + dup85, + part195, + ]); + + var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); + + var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + + var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + + var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); + + var select54 = linear_select([ + part197, + part198, + part199, + dup86, + part200, + ]); + + var all30 = all_match({ + processors: [ + dup82, + select51, + part190, + select52, + part192, + dup198, + dup17, + select53, + part196, + select54, + ], + on_success: processor_chain([ + dup78, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg150 = msg("98:06", all30); + + var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + + var all31 = all_match({ + processors: [ + part201, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg151 = msg("98:02", all31); + + var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); + + var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); + + var select55 = linear_select([ + part202, + part203, + ]); + + var all32 = all_match({ + processors: [ + select55, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg152 = msg("98:03", all32); + + var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + + var all33 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part204, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg153 = msg("98:04", all33); + + var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + + var all34 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part205, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg154 = msg("98:05", all34); + + var select56 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + ]); + + var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup31, + dup11, + ])); + + var msg155 = msg("986", part206); + + var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); + + var all35 = all_match({ + processors: [ + dup73, + dup185, + dup183, + part207, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg156 = msg("427", all35); + + var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var all36 = all_match({ + processors: [ + dup87, + dup194, + part208, + ], + on_success: processor_chain([ + dup23, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg157 = msg("428", all36); + + var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg158 = msg("99", part209); + + var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup72, + ])); + + var msg159 = msg("100", part210); + + var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg160 = msg("101", part211); + + var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg161 = msg("102", part212); + + var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg162 = msg("103", part213); + + var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg163 = msg("104", part214); + + var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg164 = msg("105", part215); + + var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup71, + ])); + + var msg165 = msg("106", part216); + + var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup72, + ])); + + var msg166 = msg("107", part217); + + var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup72, + ])); + + var msg167 = msg("108", part218); + + var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup71, + ])); + + var msg168 = msg("109", part219); + + var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup72, + ])); + + var msg169 = msg("110", part220); + + var msg170 = msg("111:01", dup199); + + var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup72, + ])); + + var msg171 = msg("111", part221); + + var select57 = linear_select([ + msg170, + msg171, + ]); + + var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup72, + ])); + + var msg172 = msg("112", part222); + + var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup72, + ])); + + var msg173 = msg("113", part223); + + var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup72, + ])); + + var msg174 = msg("114", part224); + + var msg175 = msg("115:01", dup199); + + var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg176 = msg("115", part225); + + var select58 = linear_select([ + msg175, + msg176, + ]); + + var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg177 = msg("116", part226); + + var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg178 = msg("117", part227); + + var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg179 = msg("118", part228); + + var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup71, + ])); + + var msg180 = msg("119", part229); + + var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup71, + ])); + + var msg181 = msg("120", part230); + + var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup72, + ])); + + var msg182 = msg("121", part231); + + var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup71, + ])); + + var msg183 = msg("122", part232); + + var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup71, + ])); + + var msg184 = msg("123", part233); + + var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup72, + ])); + + var msg185 = msg("124", part234); + + var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup72, + ])); + + var msg186 = msg("125", part235); + + var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg187 = msg("1254", part236); + + var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg188 = msg("1256", part237); + + var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg189 = msg("1257", part238); + + var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup72, + ])); + + var msg190 = msg("126", part239); + + var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup72, + ])); + + var msg191 = msg("127", part240); + + var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, + ])); + + var msg192 = msg("128", part241); + + var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, + ])); + + var msg193 = msg("129", part242); + + var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, + ])); + + var msg194 = msg("130", part243); + + var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, + ])); + + var msg195 = msg("131", part244); + + var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, + ])); + + var msg196 = msg("132", part245); + + var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg197 = msg("133", part246); + + var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg198 = msg("134", part247); + + var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg199 = msg("135", part248); + + var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg200 = msg("136", part249); + + var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, + ])); + + var msg201 = msg("137", part250); + + var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, + ])); + + var msg202 = msg("138", part251); + + var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, + ])); + + var msg203 = msg("139", part252); + + var all37 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), + }); + + var msg204 = msg("139:01", all37); + + var select59 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("140", dup239); + + var msg206 = msg("141", dup239); + + var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg207 = msg("142", part253); + + var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg208 = msg("143", part254); + + var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg209 = msg("1431", part255); + + var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg210 = msg("144", part256); + + var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg211 = msg("145", part257); + + var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup92, + ])); + + var msg212 = msg("146", part258); + + var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup92, + ])); + + var msg213 = msg("147", part259); + + var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, + ])); + + var msg214 = msg("148", part260); + + var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, + ])); + + var msg215 = msg("1480", part261); + + var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, + ])); + + var msg216 = msg("149", part262); + + var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, + ])); + + var msg217 = msg("150", part263); + + var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, + ])); + + var msg218 = msg("151", part264); + + var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, + ])); + + var msg219 = msg("152", part265); + + var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), + ])); + + var msg220 = msg("153", part266); + + var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup64, + ])); + + var msg221 = msg("154", part267); + + var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg222 = msg("155", part268); + + var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg223 = msg("156", part269); + + var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, + ])); + + var msg224 = msg("157:01", part270); + + var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, + ])); + + var msg225 = msg("157", part271); + + var select60 = linear_select([ + msg224, + msg225, + ]); + + var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup92, + ])); + + var msg226 = msg("158", part272); + + var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, + ])); + + var msg227 = msg("159", part273); + + var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), + ])); + + var msg228 = msg("160", part274); + + var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup65, + ])); + + var msg229 = msg("161", part275); + + var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup33, + ])); + + var msg230 = msg("162", part276); + + var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, + ])); + + var msg231 = msg("163", part277); + + var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, + ])); + + var msg232 = msg("164", part278); + + var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, + ])); + + var msg233 = msg("165", part279); + + var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, + ])); + + var msg234 = msg("166", part280); + + var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg235 = msg("167", part281); + + var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg236 = msg("168", part282); + + var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, + ])); + + var msg237 = msg("169", part283); + + var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, + ])); + + var msg238 = msg("170", part284); + + var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup70, + ])); + + var msg239 = msg("171", part285); + + var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg240 = msg("171:01", part286); + + var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg241 = msg("171:02", part287); + + var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all38 = all_match({ + processors: [ + part288, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var msg242 = msg("171:03", all38); + + var select61 = linear_select([ + msg239, + msg240, + msg241, + msg242, + ]); + + var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup70, + ])); + + var msg243 = msg("172", part289); + + var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup70, + ])); + + var msg244 = msg("172:01", part290); + + var select62 = linear_select([ + msg243, + msg244, + ]); + + var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup70, + ])); + + var msg245 = msg("173", part291); + + var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup67, + ])); + + var msg246 = msg("174", part292); + + var all39 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var msg247 = msg("174:01", all39); + + var all40 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg248 = msg("174:02", all40); + + var all41 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg249 = msg("174:03", all41); + + var select63 = linear_select([ + msg246, + msg247, + msg248, + msg249, + ]); + + var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup67, + ])); + + var msg250 = msg("175", part293); + + var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup67, + ])); + + var msg251 = msg("175:01", part294); + + var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup67, + ])); + + var msg252 = msg("175:02", part295); + + var select64 = linear_select([ + msg250, + msg251, + msg252, + ]); + + var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup93, + ])); + + var msg253 = msg("176", part296); + + var msg254 = msg("177", dup196); + + var msg255 = msg("178", dup201); + + var msg256 = msg("179", dup196); + + var all42 = all_match({ + processors: [ + dup34, + dup185, + dup187, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg257 = msg("180", all42); + + var all43 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg258 = msg("180:01", all43); + + var select65 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("181", dup195); + + var all44 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup70, + ]), + }); + + var msg260 = msg("181:01", all44); + + var select66 = linear_select([ + msg259, + msg260, + ]); + + var msg261 = msg("193", dup240); + + var msg262 = msg("194", dup241); + + var msg263 = msg("195", dup241); + + var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var all45 = all_match({ + processors: [ + part297, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg264 = msg("196", all45); + + var all46 = all_match({ + processors: [ + dup101, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg265 = msg("196:01", all46); + + var select67 = linear_select([ + msg264, + msg265, + ]); + + var msg266 = msg("199", dup242); + + var msg267 = msg("200", dup243); + + var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup30, + ])); + + var msg268 = msg("235:02", part298); + + var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + + var all47 = all_match({ + processors: [ + part299, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg269 = msg("235", all47); + + var msg270 = msg("235:01", dup244); + + var select68 = linear_select([ + msg268, + msg269, + msg270, + ]); + + var msg271 = msg("236", dup244); + + var msg272 = msg("237", dup242); + + var msg273 = msg("238", dup242); + + var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg274 = msg("239", part300); + + var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg275 = msg("240", part301); + + var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup78, + ])); + + var msg276 = msg("241", part302); + + var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup78, + ])); + + var msg277 = msg("241:01", part303); + + var select69 = linear_select([ + msg276, + msg277, + ]); + + var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + + var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + + var select70 = linear_select([ + part304, + part305, + dup40, + ]); + + var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); + + var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + + var select71 = linear_select([ + part306, + part307, + dup36, + ]); + + var all48 = all_match({ + processors: [ + dup51, + select70, + dup41, + select71, + ], + on_success: processor_chain([ + dup78, + ]), + }); + + var msg278 = msg("242", all48); + + var msg279 = msg("252", dup205); + + var msg280 = msg("255", dup205); + + var msg281 = msg("257", dup205); + + var msg282 = msg("261:01", dup245); + + var msg283 = msg("261", dup205); + + var select72 = linear_select([ + msg282, + msg283, + ]); + + var msg284 = msg("262", dup245); + + var all49 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg285 = msg("273", all49); + + var msg286 = msg("328", dup246); + + var msg287 = msg("329", dup243); + + var msg288 = msg("346", dup205); + + var msg289 = msg("350", dup205); + + var msg290 = msg("351", dup205); + + var msg291 = msg("352", dup205); + + var msg292 = msg("353:01", dup201); + + var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, + ])); + + var msg293 = msg("353", part308); + + var select73 = linear_select([ + msg292, + msg293, + ]); + + var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, + ])); + + var msg294 = msg("354", part309); + + var msg295 = msg("355", dup206); + + var msg296 = msg("355:01", dup205); + + var select74 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("356", dup207); + + var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup93, + ])); + + var msg298 = msg("357", part310); + + var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var msg299 = msg("357:01", part311); + + var select75 = linear_select([ + msg298, + msg299, + ]); + + var msg300 = msg("358", dup208); + + var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), + ])); + + var msg301 = msg("371", part312); + + var msg302 = msg("371:01", dup209); + + var select76 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("372", dup205); + + var msg304 = msg("373", dup207); + + var msg305 = msg("401", dup247); + + var msg306 = msg("402", dup247); + + var msg307 = msg("406", dup208); + + var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var msg308 = msg("413", part313); + + var msg309 = msg("414", dup205); + + var msg310 = msg("438", dup248); + + var msg311 = msg("439", dup248); + + var all50 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), + }); + + var msg312 = msg("440", all50); + + var all51 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), + }); + + var msg313 = msg("441", all51); + + var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), + ])); + + var msg314 = msg("441:01", part314); + + var select77 = linear_select([ + msg313, + msg314, + ]); + + var all52 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), + }); + + var msg315 = msg("442", all52); + + var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + + var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + + var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + + var select78 = linear_select([ + part316, + part317, + ]); + + var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all53 = all_match({ + processors: [ + part315, + select78, + part318, + dup211, + dup119, + ], + on_success: processor_chain([ + dup67, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg316 = msg("446", all53); + + var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg317 = msg("477", part319); + + var all54 = all_match({ + processors: [ + dup73, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg318 = msg("509", all54); + + var all55 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var msg319 = msg("520", all55); + + var msg320 = msg("522", dup249); + + var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + + var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); + + var all56 = all_match({ + processors: [ + part320, + dup189, + part321, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg321 = msg("522:01", all56); + + var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + + var select79 = linear_select([ + part322, + dup46, + ]); + + var all57 = all_match({ + processors: [ + dup45, + select79, + dup17, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg322 = msg("522:02", all57); + + var select80 = linear_select([ + msg320, + msg321, + msg322, + ]); + + var msg323 = msg("523", dup249); + + var all58 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg324 = msg("524", all58); + + var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + + var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + + var select81 = linear_select([ + part323, + part324, + ]); + + var all59 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + select81, + dup47, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg325 = msg("524:01", all59); + + var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); + + var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); + + var select82 = linear_select([ + part326, + dup56, + ]); + + var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + + var all60 = all_match({ + processors: [ + part325, + select82, + part327, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), + }); + + var msg326 = msg("524:02", all60); + + var select83 = linear_select([ + msg324, + msg325, + msg326, + ]); + + var msg327 = msg("526", dup250); + + var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + + var select84 = linear_select([ + dup26, + part328, + dup46, + ]); + + var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); + + var select85 = linear_select([ + dup35, + part329, + ]); + + var all61 = all_match({ + processors: [ + dup73, + select84, + dup17, + select85, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg328 = msg("526:01", all61); + + var all62 = all_match({ + processors: [ + dup7, + dup213, + dup183, + dup121, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg329 = msg("526:02", all62); + + var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg330 = msg("526:03", part330); + + var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg331 = msg("526:04", part331); + + var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg332 = msg("526:05", part332); + + var select86 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + ]); + + var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + + var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); + + var select87 = linear_select([ + part334, + dup123, + ]); + + var all63 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + part333, + select87, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg333 = msg("537:01", all63); + + var all64 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + dup81, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg334 = msg("537:02", all64); + + var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); + + var select88 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + + var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); + + var select89 = linear_select([ + part339, + part340, + ]); + + var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); + + var select90 = linear_select([ + part341, + dup131, + part342, + dup132, + dup133, + ]); + + var all65 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select88, + part338, + select89, + dup218, + select90, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg335 = msg("537:08", all65); + + var select91 = linear_select([ + dup125, + dup124, + dup126, + dup38, + ]); + + var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); + + var select92 = linear_select([ + part343, + part344, + part345, + ]); + + var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var select93 = linear_select([ + part347, + dup131, + dup132, + dup133, + ]); + + var all66 = all_match({ + processors: [ + dup54, + select91, + dup217, + select92, + part346, + dup218, + select93, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg336 = msg("537:09", all66); + + var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); + + var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); + + var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); + + var select94 = linear_select([ + part348, + part349, + part350, + part351, + part352, + ]); + + var all67 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select94, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg337 = msg("537:07", all67); + + var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); + + var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); + + var select95 = linear_select([ + part354, + dup56, + ]); + + var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + + var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); + + var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); + + var select96 = linear_select([ + part356, + part357, + part358, + part359, + ]); + + var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); + + var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + + var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + + var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + + var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + + var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); + + var select97 = linear_select([ + part361, + part362, + part363, + part364, + part365, + ]); + + var all68 = all_match({ + processors: [ + part353, + select95, + part355, + select96, + part360, + select97, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg338 = msg("537", all68); + + var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + + var all69 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part366, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg339 = msg("537:04", all69); + + var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); + + var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + + var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); + + var select98 = linear_select([ + part368, + part369, + ]); + + var all70 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part367, + select98, + dup96, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg340 = msg("537:05", all70); + + var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + + var select99 = linear_select([ + part371, + part372, + part373, + ]); + + var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all71 = all_match({ + processors: [ + part370, + dup220, + dup139, + dup221, + select99, + part374, + dup222, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg341 = msg("537:10", all71); + + var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + + var select100 = linear_select([ + dup85, + part376, + part377, + ]); + + var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all72 = all_match({ + processors: [ + part375, + dup220, + dup139, + dup221, + select100, + part378, + dup222, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg342 = msg("537:03", all72); + + var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + + var all73 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part379, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg343 = msg("537:06", all73); + + var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg344 = msg("537:11", part380); + + var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg345 = msg("537:12", part381); + + var select101 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + ]); + + var msg346 = msg("538", dup240); + + var msg347 = msg("549", dup243); + + var msg348 = msg("557", dup243); + + var all74 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), + }); + + var msg349 = msg("558", all74); + + var msg350 = msg("561", dup246); + + var msg351 = msg("562", dup246); + + var msg352 = msg("563", dup246); + + var all75 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), + }); + + var msg353 = msg("583", all75); + + var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg354 = msg("597:01", part382); + + var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, + ])); + + var msg355 = msg("597:02", part383); + + var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); + + var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var all76 = all_match({ + processors: [ + part384, + dup198, + part385, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg356 = msg("597:03", all76); + + var select102 = linear_select([ + msg354, + msg355, + msg356, + ]); + + var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, + ])); + + var msg357 = msg("598", part386); + + var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); + + var all77 = all_match({ + processors: [ + dup148, + dup192, + part387, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg358 = msg("598:01", all77); + + var all78 = all_match({ + processors: [ + dup148, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg359 = msg("598:02", all78); + + var select103 = linear_select([ + msg357, + msg358, + msg359, + ]); + + var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg360 = msg("602:01", part388); + + var msg361 = msg("602:02", dup250); + + var all79 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg362 = msg("602:03", all79); + + var select104 = linear_select([ + msg360, + msg361, + msg362, + ]); + + var msg363 = msg("605", dup208); + + var all80 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup211, + dup119, + ], + on_success: processor_chain([ + dup93, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg364 = msg("606", all80); + + var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + + var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + + var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + + var select105 = linear_select([ + part390, + part391, + ]); + + var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + + var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + + var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + + var select106 = linear_select([ + part393, + part394, + ]); + + var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + + var select107 = linear_select([ + part395, + dup154, + dup155, + ]); + + var all81 = all_match({ + processors: [ + part389, + select105, + part392, + select106, + dup153, + select107, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg365 = msg("608", all81); + + var msg366 = msg("616", dup206); + + var msg367 = msg("658", dup201); + + var msg368 = msg("710", dup224); + + var msg369 = msg("712:02", dup251); + + var msg370 = msg("712", dup224); + + var all82 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup156, + ]), + }); + + var msg371 = msg("712:01", all82); + + var select108 = linear_select([ + msg369, + msg370, + msg371, + ]); + + var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg372 = msg("713:01", part396); + + var msg373 = msg("713:04", dup251); + + var msg374 = msg("713:02", dup224); + + var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg375 = msg("713:03", part397); + + var select109 = linear_select([ + msg372, + msg373, + msg374, + msg375, + ]); + + var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg376 = msg("760", part398); + + var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); + + var all83 = all_match({ + processors: [ + part399, + dup182, + dup10, + dup202, + part400, + ], + on_success: processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg377 = msg("760:01", all83); + + var select110 = linear_select([ + msg376, + msg377, + ]); + + var msg378 = msg("766", dup228); + + var msg379 = msg("860", dup228); + + var msg380 = msg("860:01", dup229); + + var select111 = linear_select([ + msg379, + msg380, + ]); + + var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + + var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); + + var select112 = linear_select([ + part402, + part403, + ]); + + var all84 = all_match({ + processors: [ + part401, + select112, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg381 = msg("866", all84); + + var msg382 = msg("866:01", dup229); + + var select113 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("867", dup228); + + var msg384 = msg("867:01", dup229); + + var select114 = linear_select([ + msg383, + msg384, + ]); + + var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, + ])); + + var msg385 = msg("882", part404); + + var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, + ])); + + var msg386 = msg("882:01", part405); + + var select115 = linear_select([ + msg385, + msg386, + ]); + + var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup165, + ])); + + var msg387 = msg("888", part406); + + var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup165, + ])); + + var msg388 = msg("888:01", part407); + + var select116 = linear_select([ + msg387, + msg388, + ]); + + var all85 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup165, + ]), + }); + + var msg389 = msg("892", all85); + + var msg390 = msg("904", dup228); + + var msg391 = msg("905", dup228); + + var msg392 = msg("906", dup228); + + var msg393 = msg("907", dup228); + + var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); + + var select117 = linear_select([ + part408, + dup167, + ]); + + var all86 = all_match({ + processors: [ + dup166, + select117, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg394 = msg("908", all86); + + var msg395 = msg("909", dup228); + + var msg396 = msg("914", dup230); + + var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup72, + ])); + + var msg397 = msg("931", part409); + + var msg398 = msg("657", dup230); + + var all87 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg399 = msg("657:01", all87); + + var select118 = linear_select([ + msg398, + msg399, + ]); + + var msg400 = msg("403", dup209); + + var msg401 = msg("534", dup184); + + var msg402 = msg("994", dup231); + + var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg403 = msg("243", part410); + + var msg404 = msg("995", dup184); + + var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup59, + dup61, + dup62, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg405 = msg("997", part411); + + var msg406 = msg("998", dup231); + + var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup11, + ])); + + var msg407 = msg("998:01", part412); + + var select119 = linear_select([ + msg406, + msg407, + ]); + + var msg408 = msg("1110", dup232); + + var msg409 = msg("565", dup232); + + var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup62, + ])); + + var msg410 = msg("404", part413); + + var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + + var select120 = linear_select([ + part414, + dup58, + ]); + + var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + + var all88 = all_match({ + processors: [ + dup87, + select120, + part415, + ], + on_success: processor_chain([ + dup111, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg411 = msg("267:01", all88); + + var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup62, + ])); + + var msg412 = msg("267", part416); + + var select121 = linear_select([ + msg411, + msg412, + ]); + + var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg413 = msg("263", part417); + + var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg414 = msg("264", part418); + + var msg415 = msg("412", dup209); + + var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg416 = msg("793", part419); + + var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup24, + ])); + + var msg417 = msg("805", part420); + + var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg418 = msg("809", part421); + + var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg419 = msg("809:01", part422); + + var select122 = linear_select([ + msg418, + msg419, + ]); + + var msg420 = msg("935", dup230); + + var msg421 = msg("614", dup233); + + var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var all89 = all_match({ + processors: [ + part423, + dup211, + dup119, + ], + on_success: processor_chain([ + dup66, + dup44, + ]), + }); + + var msg422 = msg("748", all89); + + var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + + var select123 = linear_select([ + part425, + dup118, + ]); + + var all90 = all_match({ + processors: [ + part424, + select123, + dup119, + ], + on_success: processor_chain([ + dup171, + dup44, + ]), + }); + + var msg423 = msg("794", all90); + + var msg424 = msg("1086", dup233); + + var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg425 = msg("1430", part426); + + var msg426 = msg("1149", dup233); + + var msg427 = msg("1159", dup233); + + var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg428 = msg("1195", part427); + + var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup171, + dup44, + ])); + + var msg429 = msg("1195:01", part428); + + var select124 = linear_select([ + msg428, + msg429, + ]); + + var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg430 = msg("1226", part429); + + var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg431 = msg("1222", part430); + + var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg432 = msg("1154", part431); + + var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all91 = all_match({ + processors: [ + part432, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + dup24, + ]), + }); + + var msg433 = msg("1154:01", all91); + + var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup172, + dup11, + ])); + + var msg434 = msg("1154:02", part433); + + var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var select125 = linear_select([ + part435, + dup79, + ]); + + var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all92 = all_match({ + processors: [ + part434, + select125, + part436, + ], + on_success: processor_chain([ + dup172, + dup11, + ]), + }); + + var msg435 = msg("1154:03", all92); + + var select126 = linear_select([ + msg432, + msg433, + msg434, + msg435, + ]); + + var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup173, + ])); + + var msg436 = msg("msg", part437); + + var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup173, + ])); + + var msg437 = msg("src", part438); + + var all93 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg438 = msg("1235", all93); + + var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + + var all94 = all_match({ + processors: [ + dup7, + dup185, + dup10, + dup202, + part439, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg439 = msg("1197", all94); + + var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all95 = all_match({ + processors: [ + part440, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg440 = msg("1199", all95); + + var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg441 = msg("1199:01", part441); + + var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg442 = msg("1199:02", part442); + + var select127 = linear_select([ + msg440, + msg441, + msg442, + ]); + + var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + + var all96 = all_match({ + processors: [ + part443, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg443 = msg("1155", all96); + + var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup111, + ])); + + var msg444 = msg("1155:01", part444); + + var select128 = linear_select([ + msg443, + msg444, + ]); + + var all97 = all_match({ + processors: [ + dup176, + dup213, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg445 = msg("1198", all97); + + var all98 = all_match({ + processors: [ + dup7, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg446 = msg("714", all98); + + var msg447 = msg("709", dup252); + + var msg448 = msg("1005", dup252); + + var msg449 = msg("1003", dup252); + + var msg450 = msg("1007", dup253); + + var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg451 = msg("1008", part445); + + var msg452 = msg("708", dup253); + + var all99 = all_match({ + processors: [ + dup176, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg453 = msg("1201", all99); + + var msg454 = msg("1201:01", dup253); + + var select129 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("654", dup234); + + var msg456 = msg("670", dup234); + + var msg457 = msg("884", dup253); + + var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg458 = msg("1153", part446); + + var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); + + var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); + + var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); + + var select130 = linear_select([ + part447, + part448, + part449, + ]); + + var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + + var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var select131 = linear_select([ + part451, + dup26, + ]); + + var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + + var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + + var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + + var select132 = linear_select([ + part452, + part453, + part454, + ]); + + var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + + var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); + + var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); + + var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); + + var select133 = linear_select([ + part456, + part457, + part458, + ]); + + var all100 = all_match({ + processors: [ + dup54, + select130, + part450, + select131, + select132, + part455, + select133, + dup123, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg459 = msg("1153:01", all100); + + var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); + + var select134 = linear_select([ + part459, + part460, + ]); + + var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + + var all101 = all_match({ + processors: [ + dup82, + select134, + part461, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg460 = msg("1153:02", all101); + + var select135 = linear_select([ + msg458, + msg459, + msg460, + ]); + + var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg461 = msg("1107", part462); + + var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + + var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); + + var select136 = linear_select([ + part464, + part465, + ]); + + var all102 = all_match({ + processors: [ + part463, + select136, + dup153, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg462 = msg("1220", all102); + + var all103 = all_match({ + processors: [ + dup149, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg463 = msg("1230", all103); + + var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg464 = msg("1231", part466); + + var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg465 = msg("1233", part467); + + var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + + var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + + var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + + var select137 = linear_select([ + part469, + part470, + ]); + + var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + + var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); + + var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); + + var select138 = linear_select([ + part472, + part473, + dup38, + ]); + + var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); + + var all104 = all_match({ + processors: [ + part468, + select137, + part471, + select138, + part474, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg466 = msg("1079", all104); + + var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg467 = msg("1079:01", part475); + + var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg468 = msg("1079:02", part476); + + var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg469 = msg("1079:03", part477); + + var select139 = linear_select([ + msg466, + msg467, + msg468, + msg469, + ]); + + var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + + var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var select140 = linear_select([ + dup8, + part479, + ]); + + var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var select141 = linear_select([ + dup135, + part480, + ]); + + var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); + + var all105 = all_match({ + processors: [ + part478, + select140, + select141, + part481, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg470 = msg("1080", all105); + + var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg471 = msg("580", part482); + + var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + + var all106 = all_match({ + processors: [ + part483, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg472 = msg("1369", all106); + + var all107 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg473 = msg("1370", all107); + + var all108 = all_match({ + processors: [ + dup149, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg474 = msg("1371", all108); + + var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); + + var select142 = linear_select([ + dup167, + part484, + ]); + + var all109 = all_match({ + processors: [ + dup166, + select142, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg475 = msg("1387", all109); + + var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); + + var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); + + var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); + + var select143 = linear_select([ + part486, + part487, + ]); + + var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); + + var select144 = linear_select([ + part488, + dup154, + dup155, + ]); + + var all110 = all_match({ + processors: [ + part485, + select143, + dup153, + select144, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg476 = msg("1391", all110); + + var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg477 = msg("1253", part489); + + var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg478 = msg("1009", part490); + + var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); + + var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); + + var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); + + var select145 = linear_select([ + part492, + part493, + ]); + + var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + + var all111 = all_match({ + processors: [ + part491, + select145, + part494, + ], + on_success: processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg479 = msg("910", all111); + + var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup22, + dup44, + ])); + + var msg480 = msg("m:01", part495); + + var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg481 = msg("1011", part496); + + var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup172, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg482 = msg("609", part497); + + var msg483 = msg("796", dup237); + + var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg484 = msg("880", part498); + + var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg485 = msg("1309", part499); + + var msg486 = msg("1310", dup237); + + var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); + + var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); + + var select146 = linear_select([ + part501, + part502, + ]); + + var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + + var all112 = all_match({ + processors: [ + part500, + select146, + part503, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg487 = msg("1232", all112); + + var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all113 = all_match({ + processors: [ + part504, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg488 = msg("1447", all113); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select139, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select57, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select58, + "1153": select135, + "1154": select126, + "1155": select128, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select124, + "1197": msg439, + "1198": msg445, + "1199": select127, + "12": select4, + "120": msg181, + "1201": select129, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select59, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select60, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select61, + "172": select62, + "173": msg245, + "174": select63, + "175": select64, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select65, + "181": select66, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select67, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select68, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select69, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select72, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select121, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select18, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select73, + "354": msg294, + "355": select74, + "356": msg297, + "357": select75, + "358": msg300, + "36": select21, + "37": select23, + "371": select76, + "372": msg303, + "373": msg304, + "38": select25, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select26, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select77, + "442": msg315, + "446": msg316, + "45": select27, + "46": select28, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select80, + "523": msg323, + "524": select83, + "526": select86, + "53": msg88, + "534": msg401, + "537": select101, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select102, + "598": select103, + "6": select3, + "60": msg90, + "602": select104, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select29, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select118, + "658": msg367, + "66": msg97, + "67": select30, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select32, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select108, + "713": select109, + "714": msg446, + "72": select33, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select110, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select122, + "81": msg114, + "82": select34, + "83": select35, + "84": msg122, + "860": select111, + "866": select113, + "867": select114, + "87": select37, + "88": select38, + "880": msg484, + "882": select115, + "884": msg457, + "888": select116, + "89": select40, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select44, + "98": select56, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select119, + "m": msg480, + "msg": msg436, + "src": msg437, + }), + ]); + + var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var select147 = linear_select([ + dup8, + dup9, + ]); + + var select148 = linear_select([ + dup15, + dup16, + ]); + + var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select149 = linear_select([ + dup26, + dup27, + ]); + + var select150 = linear_select([ + dup28, + dup29, + ]); + + var select151 = linear_select([ + dup35, + dup36, + ]); + + var select152 = linear_select([ + dup37, + dup38, + ]); + + var select153 = linear_select([ + dup39, + dup40, + ]); + + var select154 = linear_select([ + dup26, + dup46, + ]); + + var select155 = linear_select([ + dup48, + dup49, + ]); + + var select156 = linear_select([ + dup52, + dup53, + ]); + + var select157 = linear_select([ + dup55, + dup56, + ]); + + var select158 = linear_select([ + dup57, + dup58, + ]); + + var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var select159 = linear_select([ + dup75, + dup76, + ]); + + var select160 = linear_select([ + dup83, + dup84, + ]); + + var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var select161 = linear_select([ + dup94, + dup95, + ]); + + var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var select162 = linear_select([ + dup98, + dup99, + ]); + + var select163 = linear_select([ + dup86, + dup102, + ]); + + var select164 = linear_select([ + dup103, + dup104, + ]); + + var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select165 = linear_select([ + dup114, + dup115, + ]); + + var select166 = linear_select([ + dup117, + dup118, + ]); + + var select167 = linear_select([ + dup43, + dup42, + ]); + + var select168 = linear_select([ + dup8, + dup27, + ]); + + var select169 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var select170 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var select171 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var select172 = linear_select([ + dup127, + dup128, + ]); + + var select173 = linear_select([ + dup129, + dup130, + ]); + + var select174 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var select175 = linear_select([ + dup138, + dup56, + ]); + + var select176 = linear_select([ + dup140, + dup141, + ]); + + var select177 = linear_select([ + dup142, + dup143, + ]); + + var select178 = linear_select([ + dup150, + dup151, + ]); + + var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var select179 = linear_select([ + dup158, + dup38, + ]); + + var select180 = linear_select([ + dup160, + dup161, + ]); + + var select181 = linear_select([ + dup162, + dup163, + ]); + + var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var select182 = linear_select([ + dup177, + dup178, + ]); + + var select183 = linear_select([ + dup180, + dup181, + ]); + + var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var all114 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all115 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var all116 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all117 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all118 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var all119 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all120 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var all121 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var all122 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var all123 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var all124 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var all125 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var all126 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all127 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var all128 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all129 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall/0.8.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..06c87bf0a9 --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,84 @@ +--- +description: Pipeline for Sonicwall-FW + +processors: + - set: + field: ecs.version + value: '8.2.0' + - gsub: + field: destination.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - gsub: + field: source.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/fields/base-fields.yml b/packages/sonicwall/0.8.1/data_stream/firewall/fields/base-fields.yml new file mode 100755 index 0000000000..a73f5492de --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: sonicwall +- name: event.dataset + type: constant_keyword + description: Event dataset + value: sonicwall.firewall +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/fields/ecs.yml b/packages/sonicwall/0.8.1/data_stream/firewall/fields/ecs.yml new file mode 100755 index 0000000000..ded07b52f3 --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/fields/ecs.yml @@ -0,0 +1,553 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/fields/fields.yml b/packages/sonicwall/0.8.1/data_stream/firewall/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/sonicwall/0.8.1/data_stream/firewall/manifest.yml b/packages/sonicwall/0.8.1/data_stream/firewall/manifest.yml new file mode 100755 index 0000000000..ee20464f38 --- /dev/null +++ b/packages/sonicwall/0.8.1/data_stream/firewall/manifest.yml @@ -0,0 +1,204 @@ +title: Sonicwall-FW logs +release: experimental +type: logs +streams: + - input: udp + title: Sonicwall-FW logs + description: Collect Sonicwall-FW logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sonicwall-firewall + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9536 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Sonicwall-FW logs + description: Collect Sonicwall-FW logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sonicwall-firewall + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9536 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Sonicwall-FW logs + description: Collect Sonicwall-FW logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/sonicwall-firewall.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sonicwall-firewall + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/sonicwall/0.8.1/docs/README.md b/packages/sonicwall/0.8.1/docs/README.md new file mode 100755 index 0000000000..3f2bbbb93d --- /dev/null +++ b/packages/sonicwall/0.8.1/docs/README.md @@ -0,0 +1,829 @@ +# Sonicwall integration + +This integration is for Sonicwall device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: +- `firewall` dataset: supports Sonicwall-FW logs. + +### Firewall + +The `firewall` dataset collects Sonicwall-FW logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/sonicwall/0.8.1/img/logo.svg b/packages/sonicwall/0.8.1/img/logo.svg new file mode 100755 index 0000000000..fb1aded68a --- /dev/null +++ b/packages/sonicwall/0.8.1/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/sonicwall/0.8.1/manifest.yml b/packages/sonicwall/0.8.1/manifest.yml new file mode 100755 index 0000000000..80ca19a62d --- /dev/null +++ b/packages/sonicwall/0.8.1/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: sonicwall +title: Sonicwall-FW Logs +version: "0.8.1" +description: Collect logs from Sonicwall devices with Elastic Agent. +categories: ["network", "security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: firewall + title: Sonicwall-FW + description: Collect Sonicwall-FW logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Sonicwall-FW via UDP + description: Collecting syslog from Sonicwall-FW via UDP + - type: tcp + title: Collect logs from Sonicwall-FW via TCP + description: Collecting syslog from Sonicwall-FW via TCP + - type: logfile + title: Collect logs from Sonicwall-FW via file + description: Collecting syslog from Sonicwall-FW via file. +icons: + - src: /img/logo.svg + title: Sonicwall-FW logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/sophos/2.2.1/changelog.yml b/packages/sophos/2.2.1/changelog.yml new file mode 100755 index 0000000000..5280809e22 --- /dev/null +++ b/packages/sophos/2.2.1/changelog.yml @@ -0,0 +1,175 @@ +# newer versions go on top +- version: "2.2.1" + changes: + - description: Format source.mac and destination.mac as per ECS for the UTM data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/3370 +- version: "2.2.0" + changes: + - description: Improve inputs for Sophos XG pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/3322 +- version: "2.1.0" + changes: + - description: Update to ECS 8.2.0 to use new email field set. + type: enhancement + link: https://github.com/elastic/integrations/pull/2798 +- version: "2.0.0" + changes: + - description: Remove space from sophos.xg.trans_src_ip field. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Do not modify event.original. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Populate `url.*` fields based on `sophos.xg.url`. + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Rename `sophos.xg.reason` to `event.reason` (ECS). + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Lowercase `network.transport` as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Format `source.mac` and `destination.mac` as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3127 + - description: Set the `event.code` from the message ID (and remove `sophos.xg.message_id`). + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Add `network.community_id`. + type: enhancement + link: https://github.com/elastic/integrations/pull/3127 + - description: Reduce event size by removing `client` and `server` fields that are clones of `source` and `destination`, respectively. + type: breaking-change + link: https://github.com/elastic/integrations/pull/3127 +- version: "1.2.3" + changes: + - description: Update pipelines to parse new fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2163 +- version: "1.2.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.1" + changes: + - description: Add missing ingest pipeline for "System Health" logs + type: bugfix + link: https://github.com/elastic/integrations/pull/2743 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2596 +- version: "1.1.3" + changes: + - description: Fix KV splitting and syslog header handling + type: bugfix + link: https://github.com/elastic/integrations/pull/2320 +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2271 +- version: "1.0.6" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2086 +- version: "1.0.5" + changes: + - description: Support hostname in syslog header in UTM data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/2034 +- version: "1.0.4" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1987 +- version: "1.0.3" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "1.0.2" + changes: + - description: Fix logic that adds known devices to policy + type: bugfix + link: https://github.com/elastic/integrations/pull/1888 +- version: "1.0.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1851 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1775 +- version: "0.6.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1678 +- version: "0.5.4" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.5.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1504 +- version: '0.5.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1418 +- version: "0.5.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.5.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.4.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1275 +- version: "0.3.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1102 +- version: "0.2.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/870 +- version: "0.2.0" + changes: + - description: Add XG data stream + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/400 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/400 diff --git a/packages/sophos/2.2.1/data_stream/utm/agent/stream/stream.yml.hbs b/packages/sophos/2.2.1/data_stream/utm/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..8cce59a86f --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/agent/stream/stream.yml.hbs @@ -0,0 +1,5072 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sophos" + product: "UTM" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ + setc("header_id","0003"), + setc("messageid","reverseproxy"), + ])); + + var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0004"), + setc("messageid","astarosg_TVM"), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0006"), + setc("messageid","Sophos_Firewall"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var msg1 = msg("named:01", part1); + + var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var msg2 = msg("named:02", part2); + + var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg3 = msg("named:03", part3); + + var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ + dup5, + dup2, + dup3, + ])); + + var msg4 = msg("named:04", part4); + + var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg5 = msg("named:05", part5); + + var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ + setc("eventcategory","1804000000"), + dup2, + dup3, + ])); + + var msg6 = msg("named:06", part6); + + var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg7 = msg("named:07", part7); + + var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg8 = msg("named:08", part8); + + var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ + dup7, + dup2, + dup3, + setc("action","reloading"), + ])); + + var msg9 = msg("named:09", part9); + + var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ + dup7, + dup9, + dup2, + dup3, + ])); + + var msg10 = msg("named:10", part10); + + var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ + dup7, + dup9, + dup2, + dup3, + setc("action","all zones loaded"), + ])); + + var msg11 = msg("named:11", part11); + + var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ + dup7, + setc("disposition","running"), + dup2, + dup3, + setc("action","running"), + ])); + + var msg12 = msg("named:12", part12); + + var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ + dup7, + setc("context","built-in root key"), + dup2, + dup3, + ])); + + var msg13 = msg("named:13", part13); + + var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg14 = msg("named:14", part14); + + var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ + dup10, + setc("event_description","named:too many timeouts resolving DNS."), + dup11, + dup2, + ])); + + var msg15 = msg("named:15", part15); + + var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:FORMERR resolving DNS."), + dup11, + dup2, + ])); + + var msg16 = msg("named:16", part16); + + var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), + dup11, + dup2, + ])); + + var msg17 = msg("named:17", part17); + + var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + ]); + + var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ + dup12, + setc("event_description","httpproxy:Integrated HTTP-Proxy."), + dup11, + dup2, + ])); + + var msg18 = msg("httpproxy:09", part18); + + var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ + dup10, + setc("event_description","httpproxy:Name or service not known."), + dup11, + dup2, + ])); + + var msg19 = msg("httpproxy:10", part19); + + var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ + dup10, + setc("event_description","httpproxy:failed to resolve passthrough."), + dup11, + dup2, + ])); + + var msg20 = msg("httpproxy:11", part20); + + var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ + dup10, + setc("event_description","httpproxy:ssl handshake failure."), + dup11, + dup2, + ])); + + var msg21 = msg("httpproxy:12", part21); + + var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ + dup10, + setc("event_description","httpproxy:EVP_DecryptFinal failed."), + dup11, + dup2, + ])); + + var msg22 = msg("httpproxy:13", part22); + + var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ + dup10, + setc("event_description","httpproxy:decrypt failed."), + dup11, + dup2, + ])); + + var msg23 = msg("httpproxy:14", part23); + + var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:reloading av pattern"), + dup11, + dup2, + ])); + + var msg24 = msg("httpproxy:15", part24); + + var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ + dup12, + setc("event_description","httpproxy:sc_check_servers.Server checked."), + dup11, + dup2, + ])); + + var msg25 = msg("httpproxy:16", part25); + + var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ + dup12, + setc("event_description","httpproxy:shutdown finished, exiting."), + dup11, + dup2, + ])); + + var msg26 = msg("httpproxy:17", part26); + + var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ + dup12, + setc("event_description","httpproxy:"), + dup11, + dup2, + ])); + + var msg27 = msg("httpproxy:18", part27); + + var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ + dup12, + setc("event_description","httpproxy:reading profiles"), + dup11, + dup2, + ])); + + var msg28 = msg("httpproxy:19", part28); + + var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ + dup12, + setc("event_description","httpproxy:finished startup"), + dup11, + dup2, + ])); + + var msg29 = msg("httpproxy:20", part29); + + var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:read_request_headers related message."), + dup11, + dup2, + ])); + + var msg30 = msg("httpproxy:21", part30); + + var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_loop related message."), + dup11, + dup2, + ])); + + var msg31 = msg("httpproxy:22", part31); + + var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scan_exit related message."), + dup11, + dup2, + ])); + + var msg32 = msg("httpproxy:23", part32); + + var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_exit related message."), + dup11, + dup2, + ])); + + var msg33 = msg("httpproxy:24", part33); + + var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_exit related message."), + dup11, + dup2, + ])); + + var msg34 = msg("httpproxy:25", part34); + + var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_zap related message."), + dup11, + dup2, + ])); + + var msg35 = msg("httpproxy:26", part35); + + var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scanner_init related message."), + dup11, + dup2, + ])); + + var msg36 = msg("httpproxy:27", part36); + + var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { + "action": "action", + "ad_domain": "fld1", + "app-id": "fld18", + "application": "fld17", + "auth": "fld10", + "authtime": "fld4", + "avscantime": "fld7", + "cached": "fld2", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld6", + "content-type": "content_type", + "device": "fld9", + "dnstime": "fld5", + "dstip": "daddr", + "error": "result", + "exceptions": "fld12", + "extension": "fld13", + "file": "filename", + "filename": "filename", + "filteraction": "fld3", + "fullreqtime": "fld8", + "function": "action", + "group": "group", + "id": "rule", + "line": "fld14", + "message": "context", + "method": "web_method", + "name": "event_description", + "profile": "policyname", + "reason": "rule_group", + "referer": "web_referer", + "reputation": "fld16", + "request": "connectionid", + "severity": "severity", + "size": "rbytes", + "srcip": "saddr", + "statuscode": "resultcode", + "sub": "network_service", + "sys": "vsys", + "time": "fld15", + "ua": "fld11", + "url": "url", + "user": "username", + }, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg37 = msg("httpproxy:01", part37); + + var select3 = linear_select([ + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + ]); + + var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg38 = msg("URID:01", part38); + + var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { + "action": "action", + "code": "fld30", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "fwrule": "policy_id", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "name": "event_description", + "outitf": "dinterface", + "prec": "fld27", + "proto": "fld24", + "seq": "fld23", + "severity": "severity", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub": "network_service", + "sys": "vsys", + "tcpflags": "fld29", + "tos": "fld26", + "ttl": "fld28", + "type": "fld31", + }, processor_chain([ + dup13, + setc("ec_subject","NetworkComm"), + setc("ec_activity","Scan"), + setc("ec_theme","TEV"), + dup11, + dup2, + dup45, + dup46, + ])); + + var msg39 = msg("ulogd:01", part39); + + var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ + dup6, + setc("disposition","configured"), + dup2, + dup3, + ])); + + var msg40 = msg("reverseproxy:01", part40); + + var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg41 = msg("reverseproxy:02", part41); + + var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg42 = msg("reverseproxy:03", part42); + + var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ + dup17, + setc("event_id","AH00292"), + dup2, + dup3, + ])); + + var msg43 = msg("reverseproxy:04", part43); + + var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ + setc("eventcategory","1805010000"), + dup18, + dup2, + dup3, + ])); + + var msg44 = msg("reverseproxy:06", part44); + + var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); + + var select4 = linear_select([ + dup19, + ]); + + var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); + + var all1 = all_match({ + processors: [ + part45, + select4, + part46, + ], + on_success: processor_chain([ + dup5, + setc("event_id","AH00297"), + dup2, + dup3, + ]), + }); + + var msg45 = msg("reverseproxy:07", all1); + + var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ + dup4, + setc("event_id","AH00112"), + dup2, + dup3, + ])); + + var msg46 = msg("reverseproxy:08", part47); + + var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ + setc("eventcategory","1605010000"), + setc("event_id","AH00094"), + dup2, + dup3, + ])); + + var msg47 = msg("reverseproxy:09", part48); + + var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ + dup12, + setc("event_id","AH00291"), + dup2, + dup3, + ])); + + var msg48 = msg("reverseproxy:10", part49); + + var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ + dup20, + setc("event_id","AH02572"), + dup2, + dup3, + ])); + + var msg49 = msg("reverseproxy:11", part50); + + var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ + dup20, + setc("context","SSL Library Error"), + dup2, + dup3, + ])); + + var msg50 = msg("reverseproxy:12", part51); + + var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ + dup20, + setc("result","Fatal error"), + setc("event_id","AH02312"), + dup2, + dup3, + ])); + + var msg51 = msg("reverseproxy:13", part52); + + var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ + dup20, + setc("result","Configuration Failed"), + setc("event_id","AH00020"), + dup2, + dup3, + ])); + + var msg52 = msg("reverseproxy:14", part53); + + var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ + setc("eventcategory","1609000000"), + setc("context","Unclean shutdown"), + setc("event_id","AH00098"), + dup2, + dup3, + ])); + + var msg53 = msg("reverseproxy:15", part54); + + var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ + dup16, + setc("event_id","AH00295"), + dup2, + dup3, + ])); + + var msg54 = msg("reverseproxy:16", part55); + + var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); + + var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); + + var select5 = linear_select([ + part57, + dup19, + ]); + + var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + + var all2 = all_match({ + processors: [ + part56, + select5, + part58, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + ]), + }); + + var msg55 = msg("reverseproxy:17", all2); + + var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ + dup4, + dup22, + dup2, + dup3, + ])); + + var msg56 = msg("reverseproxy:18", part59); + + var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ + dup23, + dup22, + dup2, + dup3, + ])); + + var msg57 = msg("reverseproxy:19", part60); + + var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg58 = msg("reverseproxy:20", part61); + + var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ + dup20, + dup18, + setc("event_id","AH01909"), + dup2, + dup3, + ])); + + var msg59 = msg("reverseproxy:21", part62); + + var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ + dup20, + setc("comments","Invalid port configuration"), + dup2, + dup3, + ])); + + var msg60 = msg("reverseproxy:22", part63); + + var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg61 = msg("reverseproxy:23", part64); + + var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg62 = msg("reverseproxy:24", part65); + + var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg63 = msg("reverseproxy:25", part66); + + var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); + + var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); + + var select6 = linear_select([ + part68, + dup19, + ]); + + var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); + + var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); + + var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); + + var select7 = linear_select([ + part70, + part71, + ]); + + var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + + var all3 = all_match({ + processors: [ + part67, + select6, + part69, + select7, + part72, + ], + on_success: processor_chain([ + dup24, + dup2, + dup3, + ]), + }); + + var msg64 = msg("reverseproxy:26", all3); + + var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg65 = msg("reverseproxy:27", part73); + + var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ + dup26, + setc("result","virus daemon error"), + dup2, + dup3, + ])); + + var msg66 = msg("reverseproxy:28", part74); + + var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ + dup27, + setc("result","virus found"), + dup2, + dup3, + ])); + + var msg67 = msg("reverseproxy:29", part75); + + var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ + dup24, + dup28, + dup2, + dup3, + ])); + + var msg68 = msg("reverseproxy:30", part76); + + var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ + dup25, + setc("result","Cannot read reply"), + dup2, + dup3, + ])); + + var msg69 = msg("reverseproxy:31", part77); + + var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg70 = msg("reverseproxy:32", part78); + + var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg71 = msg("reverseproxy:33", part79); + + var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ + dup26, + dup29, + dup2, + dup3, + ])); + + var msg72 = msg("reverseproxy:34", part80); + + var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ + dup26, + dup29, + dup2, + dup3, + ])); + + var msg73 = msg("reverseproxy:35", part81); + + var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ + dup27, + setc("result","Virus found"), + dup2, + dup3, + ])); + + var msg74 = msg("reverseproxy:36", part82); + + var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ + dup24, + dup28, + dup2, + dup3, + ])); + + var msg75 = msg("reverseproxy:37", part83); + + var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg76 = msg("reverseproxy:38", part84); + + var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ + dup23, + setc("result","Form validation failed"), + dup2, + dup3, + ])); + + var msg77 = msg("reverseproxy:39", part85); + + var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ + dup25, + setc("result","Sending trickle failed"), + dup2, + dup3, + ])); + + var msg78 = msg("reverseproxy:40", part86); + + var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ + dup30, + dup2, + dup3, + ])); + + var msg79 = msg("reverseproxy:41", part87); + + var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ + setc("eventcategory","1603050000"), + dup2, + dup3, + ])); + + var msg80 = msg("reverseproxy:42", part88); + + var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ + dup30, + setc("event_id","AH01110"), + setc("result","Error reading response"), + dup2, + dup3, + ])); + + var msg81 = msg("reverseproxy:43", part89); + + var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1601020000"), + setc("result","No form context found"), + dup2, + dup3, + ])); + + var msg82 = msg("reverseproxy:44", part90); + + var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ + dup25, + setc("event_id","AH00957"), + dup2, + dup3, + ])); + + var msg83 = msg("reverseproxy:45", part91); + + var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ + dup16, + setc("event_id","AH00959"), + setc("result","disabling worker"), + dup2, + dup3, + ])); + + var msg84 = msg("reverseproxy:46", part92); + + var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1801000000"), + setc("context","Not all file sent to client"), + dup2, + dup3, + ])); + + var msg85 = msg("reverseproxy:47", part93); + + var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, + ])); + + var msg86 = msg("reverseproxy:48", part94); + + var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, + ])); + + var msg87 = msg("reverseproxy:49", part95); + + var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { + "cookie": "web_cookie", + "exceptions": "policy_waiver", + "extra": "info", + "host": "dhost", + "id": "policy_id", + "localip": "fld3", + "method": "web_method", + "reason": "comments", + "referer": "web_referer", + "server": "daddr", + "set-cookie": "fld5", + "size": "fld4", + "srcip": "saddr", + "statuscode": "resultcode", + "time": "processing_time", + "url": "web_root", + "user": "username", + }, processor_chain([ + setc("eventcategory","1802000000"), + dup2, + dup3, + ])); + + var msg88 = msg("reverseproxy:05", part96); + + var select8 = linear_select([ + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + ]); + + var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { + "id": "fld5", + "name": "event_description", + "severity": "severity", + "sub": "service", + "sys": "fld2", + }, processor_chain([ + dup1, + dup11, + dup2, + ])); + + var msg89 = msg("confd-sync", part97); + + var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { + "account": "logon_id", + "attributes": "obj_name", + "class": "group_object", + "client": "fld3", + "count": "fld4", + "facility": "logon_type", + "id": "fld1", + "name": "event_description", + "node": "node", + "object": "fld6", + "severity": "severity", + "srcip": "saddr", + "storage": "directory", + "sub": "service", + "sys": "fld2", + "type": "obj_type", + "user": "username", + "version": "version", + }, processor_chain([ + dup1, + dup11, + dup2, + ])); + + var msg90 = msg("confd:01", part98); + + var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy Frox started."), + dup11, + dup2, + ])); + + var msg91 = msg("frox", part99); + + var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy listening on port."), + dup11, + dup2, + ])); + + var msg92 = msg("frox:01", part100); + + var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy dropped priveleges."), + dup11, + dup2, + ])); + + var msg93 = msg("frox:02", part101); + + var select9 = linear_select([ + msg91, + msg92, + msg93, + ]); + + var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ + dup12, + setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), + dup11, + dup2, + ])); + + var msg94 = msg("afcd", part102); + + var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ + dup12, + setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), + dup11, + dup2, + ])); + + var msg95 = msg("ipsec_starter", part103); + + var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ + dup12, + setc("event_description","ipsec_starter: IP address or index of physical interface changed."), + dup11, + dup2, + ])); + + var msg96 = msg("ipsec_starter:01", part104); + + var select10 = linear_select([ + msg95, + msg96, + ]); + + var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: Starting Pluto."), + dup11, + dup2, + ])); + + var msg97 = msg("pluto", part105); + + var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: including NAT-Traversal patch."), + dup11, + dup2, + ])); + + var msg98 = msg("pluto:01", part106); + + var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating encryption algorithm."), + dup11, + dup2, + ])); + + var msg99 = msg("pluto:02", part107); + + var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating hash algorithm."), + dup11, + dup2, + ])); + + var msg100 = msg("pluto:03", part108); + + var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ + dup12, + setc("event_description","pluto: Testing registered IKE encryption algorithms"), + dup11, + dup2, + ])); + + var msg101 = msg("pluto:04", part109); + + var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test not available."), + dup11, + dup2, + ])); + + var msg102 = msg("pluto:05", part110); + + var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test passed."), + dup11, + dup2, + ])); + + var msg103 = msg("pluto:06", part111); + + var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ + dup12, + setc("event_description","pluto: Using KLIPS IPsec interface code"), + dup11, + dup2, + ])); + + var msg104 = msg("pluto:07", part112); + + var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","pluto: adding interface"), + dup11, + dup2, + ])); + + var msg105 = msg("pluto:08", part113); + + var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ + dup34, + setc("event_description","pluto: loading secrets"), + dup11, + dup2, + ])); + + var msg106 = msg("pluto:09", part114); + + var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ + dup34, + setc("event_description","pluto: loaded private key file"), + dup11, + dup2, + ])); + + var msg107 = msg("pluto:10", part115); + + var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ + dup12, + setc("event_description","pluto: added connection description"), + dup11, + dup2, + ])); + + var msg108 = msg("pluto:11", part116); + + var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, + ])); + + var msg109 = msg("pluto:12", part117); + + var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup10, + dup36, + dup11, + dup2, + ])); + + var msg110 = msg("pluto:13", part118); + + var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, + ])); + + var msg111 = msg("pluto:14", part119); + + var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ + dup12, + setc("event_description","pluto:forgetting secrets"), + dup11, + dup2, + ])); + + var msg112 = msg("pluto:15", part120); + + var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ + dup12, + setc("event_description","pluto:Changing to directory"), + dup11, + dup2, + ])); + + var msg113 = msg("pluto:17", part121); + + var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ + dup12, + setc("event_description","pluto:*time to handle event"), + dup11, + dup2, + ])); + + var msg114 = msg("pluto:18", part122); + + var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ + dup12, + setc("event_description","pluto:*received kernel message"), + dup11, + dup2, + ])); + + var msg115 = msg("pluto:19", part123); + + var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ + dup25, + setc("event_description","pluto:rejected packet"), + dup11, + dup2, + ])); + + var msg116 = msg("pluto:20", part124); + + var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg117 = msg("pluto:21", part125); + + var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg118 = msg("pluto:22", part126); + + var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg119 = msg("pluto:23", part127); + + var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg120 = msg("pluto:24", part128); + + var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg121 = msg("pluto:25", part129); + + var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg122 = msg("pluto:26", part130); + + var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg123 = msg("pluto:27", part131); + + var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg124 = msg("pluto:28", part132); + + var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg125 = msg("pluto:29", part133); + + var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg126 = msg("pluto:30", part134); + + var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg127 = msg("pluto:31", part135); + + var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ + dup12, + setc("event_description","not authenticated"), + dup11, + dup2, + ])); + + var msg128 = msg("pluto:32", part136); + + var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, + ])); + + var msg129 = msg("pluto:33", part137); + + var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup12, + dup36, + dup11, + dup2, + ])); + + var msg130 = msg("pluto:34", part138); + + var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, + ])); + + var msg131 = msg("pluto:35", part139); + + var select11 = linear_select([ + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + ]); + + var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","xl2tpd:This binary does not support kernel L2TP."), + dup11, + dup2, + ])); + + var msg132 = msg("xl2tpd", part140); + + var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ + dup12, + setc("event_description","xl2tpd:xl2tpd started."), + dup11, + dup2, + ])); + + var msg133 = msg("xl2tpd:01", part141); + + var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg134 = msg("xl2tpd:02", part142); + + var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg135 = msg("xl2tpd:03", part143); + + var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg136 = msg("xl2tpd:04", part144); + + var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg137 = msg("xl2tpd:05", part145); + + var select12 = linear_select([ + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + ]); + + var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ + dup12, + setc("event_description","barnyard: Exiting"), + dup11, + dup2, + ])); + + var msg138 = msg("barnyard:01", part146); + + var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Initializing daemon mode"), + dup11, + dup2, + ])); + + var msg139 = msg("barnyard:02", part147); + + var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ + dup12, + setc("event_description","barnyard:Opened spool file."), + dup11, + dup2, + ])); + + var msg140 = msg("barnyard:03", part148); + + var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Waiting for new data"), + dup11, + dup2, + ])); + + var msg141 = msg("barnyard:04", part149); + + var select13 = linear_select([ + msg138, + msg139, + msg140, + msg141, + ]); + + var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ + dup12, + setc("event_description","exim:SMTP connection from localhost closed by QUIT"), + dup11, + dup2, + ])); + + var msg142 = msg("exim:01", part150); + + var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ + setc("eventcategory","1207010000"), + setc("event_description","exim:e-mail accepted from relay."), + dup11, + dup2, + ])); + + var msg143 = msg("exim:02", part151); + + var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ + setc("eventcategory","1207000000"), + setc("event_description","exim: e-mail sent."), + dup11, + dup2, + ])); + + var msg144 = msg("exim:03", part152); + + var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ + dup39, + setc("event_description","exim: e-mail host lookup did not complete in DNS."), + dup11, + dup2, + ])); + + var msg145 = msg("exim:04", part153); + + var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ + dup39, + setc("event_description","exim: e-mail routing defer:retry time not reached."), + dup11, + dup2, + ])); + + var msg146 = msg("exim:05", part154); + + var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ + dup12, + setc("event_description","exim: exim daemon started."), + dup11, + dup2, + ])); + + var msg147 = msg("exim:06", part155); + + var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ + dup12, + setc("event_description","exim: Start queue run."), + dup11, + dup2, + ])); + + var msg148 = msg("exim:07", part156); + + var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ + dup12, + setc("event_description","exim: SIGHUP received: re-exec daemon."), + dup11, + dup2, + ])); + + var msg149 = msg("exim:08", part157); + + var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim: SMTP connection from host."), + dup11, + dup2, + ])); + + var msg150 = msg("exim:09", part158); + + var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:rejected EHLO from host."), + dup11, + dup2, + ])); + + var msg151 = msg("exim:10", part159); + + var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), + dup11, + dup2, + ])); + + var msg152 = msg("exim:11", part160); + + var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:TLS error on connection from host."), + dup11, + dup2, + ])); + + var msg153 = msg("exim:12", part161); + + var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg154 = msg("exim:13", part162); + + var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg155 = msg("exim:14", part163); + + var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg156 = msg("exim:15", part164); + + var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg157 = msg("exim:16", part165); + + var select14 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, + ]); + + var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ + dup12, + setc("event_description","smtpd: Process moved to work queue."), + dup11, + dup2, + ])); + + var msg158 = msg("smtpd:01", part166); + + var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ + setc("eventcategory","1207010100"), + dup11, + dup2, + ])); + + var msg159 = msg("smtpd:02", part167); + + var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ + dup12, + setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), + dup11, + dup2, + ])); + + var msg160 = msg("smtpd:03", part168); + + var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), + dup11, + dup2, + ])); + + var msg161 = msg("smtpd:04", part169); + + var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), + dup11, + dup2, + ])); + + var msg162 = msg("smtpd:07", part170); + + var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), + dup11, + dup2, + ])); + + var msg163 = msg("smtpd:05", part171); + + var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:Sending QR one."), + dup11, + dup2, + ])); + + var msg164 = msg("smtpd:06", part172); + + var select15 = linear_select([ + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + ]); + + var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ + dup10, + setc("event_description","sshd: Did not receive identification string."), + dup11, + dup2, + ])); + + var msg165 = msg("sshd:01", part173); + + var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ + dup12, + setc("event_description","sshd:Received SIGHUP restarting."), + dup11, + dup2, + ])); + + var msg166 = msg("sshd:02", part174); + + var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ + dup12, + setc("event_description","sshd:Server listening; restarting."), + dup11, + dup2, + ])); + + var msg167 = msg("sshd:03", part175); + + var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ + dup41, + setc("event_description","sshd:Invalid user admin."), + dup11, + dup2, + ])); + + var msg168 = msg("sshd:04", part176); + + var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed none for invalid user admin."), + dup11, + dup2, + ])); + + var msg169 = msg("sshd:05", part177); + + var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ + dup10, + setc("event_description","sshd:error:Could not get shadow information for NOUSER"), + dup11, + dup2, + ])); + + var msg170 = msg("sshd:06", part178); + + var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed password for root."), + dup11, + dup2, + ])); + + var msg171 = msg("sshd:07", part179); + + var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + setc("eventcategory","1302000000"), + setc("event_description","sshd:Accepted password for loginuser."), + dup11, + dup2, + ])); + + var msg172 = msg("sshd:08", part180); + + var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ + dup10, + setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), + dup11, + dup2, + ])); + + var msg173 = msg("sshd:09", part181); + + var select16 = linear_select([ + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + ]); + + var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { + "caller": "fld4", + "engine": "fld5", + "id": "fld1", + "name": "event_description", + "severity": "severity", + "srcip": "saddr", + "sub": "service", + "sys": "fld2", + "user": "username", + }, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg174 = msg("aua:01", part182); + + var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ + dup12, + setc("event_description","sockd: created new negotiatorchild."), + dup11, + dup2, + ])); + + var msg175 = msg("sockd:01", part183); + + var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ + dup12, + setc("event_description","sockd:dante/server running."), + dup11, + dup2, + ])); + + var msg176 = msg("sockd:02", part184); + + var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ + dup12, + setc("event_description","sockd:sockdexit():terminating on signal."), + dup11, + dup2, + ])); + + var msg177 = msg("sockd:03", part185); + + var select17 = linear_select([ + msg175, + msg176, + msg177, + ]); + + var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ + dup12, + setc("event_description","pop3proxy:Master started."), + dup11, + dup2, + ])); + + var msg178 = msg("pop3proxy", part186); + + var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "url": "url", + "user": "username", + "version": "version", + }, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg179 = msg("astarosg_TVM", part187); + + var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "port": "network_port", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "query": "web_query", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "uid": "uid", + "url": "url", + "user": "username", + "version": "version", + }, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg180 = msg("httpd", part188); + + var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ + setc("eventcategory","1502000000"), + dup2, + dup3, + ])); + + var msg181 = msg("httpd:01", part189); + + var select18 = linear_select([ + msg180, + msg181, + ]); + + var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { + "activityname": "fld9", + "appfilter_policy_id": "fld10", + "application": "application", + "application_category": "fld23", + "application_risk": "risk_num", + "application_technology": "fld11", + "appresolvedby": "fld22", + "category": "fld4", + "category_type": "fld5", + "connevent": "fld19", + "connid": "connectionid", + "contenttype": "content_type", + "dir_disp": "fld18", + "domain": "fqdn", + "dst_country_code": "location_dst", + "dst_ip": "daddr", + "dst_port": "dport", + "dstzone": "dst_zone", + "dstzonetype": "fld17", + "duration": "duration", + "exceptions": "fld8", + "fw_rule_id": "rule_uid", + "hb_health": "fld21", + "httpresponsecode": "fld7", + "iap": "id1", + "in_interface": "sinterface", + "ips_policy_id": "policy_id", + "log_component": "event_source", + "log_subtype": "category", + "log_type": "event_type", + "message": "info", + "out_interface": "dinterface", + "override_token": "fld6", + "policy_type": "fld23", + "priority": "severity", + "protocol": "protocol", + "reason": "result", + "recv_bytes": "rbytes", + "recv_pkts": "fld15", + "referer": "web_referer", + "sent_bytes": "sbytes", + "sent_pkts": "fld14", + "src_country_code": "location_src", + "src_ip": "saddr", + "src_mac": "smacaddr", + "src_port": "sport", + "srczone": "src_zone", + "srczonetype": "fld16", + "status": "event_state", + "status_code": "resultcode", + "tran_dst_ip": "dtransaddr", + "tran_dst_port": "dtransport", + "tran_src_ip": "stransaddr", + "tran_src_port": "stransport", + "transactionid": "id2", + "url": "url", + "user_agent": "user_agent", + "user_gp": "group", + "user_name": "username", + "vconnid": "fld20", + }, processor_chain([ + setc("eventcategory","1204000000"), + dup2, + date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], + ], + }), + ])); + + var msg182 = msg("Sophos_Firewall", part190); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "Sophos_Firewall": msg182, + "URID": msg38, + "afcd": msg94, + "astarosg_TVM": msg179, + "aua": msg174, + "barnyard": select13, + "confd": msg90, + "confd-sync": msg89, + "exim": select14, + "frox": select9, + "httpd": select18, + "httpproxy": select3, + "ipsec_starter": select10, + "named": select2, + "pluto": select11, + "pop3proxy": msg178, + "reverseproxy": select8, + "smtpd": select15, + "sockd": select17, + "sshd": select16, + "ulogd": msg39, + "xl2tpd": select12, + }), + ]); + + var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sophos/2.2.1/data_stream/utm/agent/stream/tcp.yml.hbs b/packages/sophos/2.2.1/data_stream/utm/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..1de04c8c77 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/agent/stream/tcp.yml.hbs @@ -0,0 +1,5069 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sophos" + product: "UTM" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ + setc("header_id","0003"), + setc("messageid","reverseproxy"), + ])); + + var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0004"), + setc("messageid","astarosg_TVM"), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0006"), + setc("messageid","Sophos_Firewall"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var msg1 = msg("named:01", part1); + + var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var msg2 = msg("named:02", part2); + + var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg3 = msg("named:03", part3); + + var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ + dup5, + dup2, + dup3, + ])); + + var msg4 = msg("named:04", part4); + + var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg5 = msg("named:05", part5); + + var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ + setc("eventcategory","1804000000"), + dup2, + dup3, + ])); + + var msg6 = msg("named:06", part6); + + var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg7 = msg("named:07", part7); + + var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg8 = msg("named:08", part8); + + var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ + dup7, + dup2, + dup3, + setc("action","reloading"), + ])); + + var msg9 = msg("named:09", part9); + + var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ + dup7, + dup9, + dup2, + dup3, + ])); + + var msg10 = msg("named:10", part10); + + var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ + dup7, + dup9, + dup2, + dup3, + setc("action","all zones loaded"), + ])); + + var msg11 = msg("named:11", part11); + + var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ + dup7, + setc("disposition","running"), + dup2, + dup3, + setc("action","running"), + ])); + + var msg12 = msg("named:12", part12); + + var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ + dup7, + setc("context","built-in root key"), + dup2, + dup3, + ])); + + var msg13 = msg("named:13", part13); + + var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg14 = msg("named:14", part14); + + var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ + dup10, + setc("event_description","named:too many timeouts resolving DNS."), + dup11, + dup2, + ])); + + var msg15 = msg("named:15", part15); + + var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:FORMERR resolving DNS."), + dup11, + dup2, + ])); + + var msg16 = msg("named:16", part16); + + var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), + dup11, + dup2, + ])); + + var msg17 = msg("named:17", part17); + + var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + ]); + + var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ + dup12, + setc("event_description","httpproxy:Integrated HTTP-Proxy."), + dup11, + dup2, + ])); + + var msg18 = msg("httpproxy:09", part18); + + var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ + dup10, + setc("event_description","httpproxy:Name or service not known."), + dup11, + dup2, + ])); + + var msg19 = msg("httpproxy:10", part19); + + var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ + dup10, + setc("event_description","httpproxy:failed to resolve passthrough."), + dup11, + dup2, + ])); + + var msg20 = msg("httpproxy:11", part20); + + var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ + dup10, + setc("event_description","httpproxy:ssl handshake failure."), + dup11, + dup2, + ])); + + var msg21 = msg("httpproxy:12", part21); + + var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ + dup10, + setc("event_description","httpproxy:EVP_DecryptFinal failed."), + dup11, + dup2, + ])); + + var msg22 = msg("httpproxy:13", part22); + + var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ + dup10, + setc("event_description","httpproxy:decrypt failed."), + dup11, + dup2, + ])); + + var msg23 = msg("httpproxy:14", part23); + + var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:reloading av pattern"), + dup11, + dup2, + ])); + + var msg24 = msg("httpproxy:15", part24); + + var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ + dup12, + setc("event_description","httpproxy:sc_check_servers.Server checked."), + dup11, + dup2, + ])); + + var msg25 = msg("httpproxy:16", part25); + + var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ + dup12, + setc("event_description","httpproxy:shutdown finished, exiting."), + dup11, + dup2, + ])); + + var msg26 = msg("httpproxy:17", part26); + + var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ + dup12, + setc("event_description","httpproxy:"), + dup11, + dup2, + ])); + + var msg27 = msg("httpproxy:18", part27); + + var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ + dup12, + setc("event_description","httpproxy:reading profiles"), + dup11, + dup2, + ])); + + var msg28 = msg("httpproxy:19", part28); + + var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ + dup12, + setc("event_description","httpproxy:finished startup"), + dup11, + dup2, + ])); + + var msg29 = msg("httpproxy:20", part29); + + var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:read_request_headers related message."), + dup11, + dup2, + ])); + + var msg30 = msg("httpproxy:21", part30); + + var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_loop related message."), + dup11, + dup2, + ])); + + var msg31 = msg("httpproxy:22", part31); + + var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scan_exit related message."), + dup11, + dup2, + ])); + + var msg32 = msg("httpproxy:23", part32); + + var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_exit related message."), + dup11, + dup2, + ])); + + var msg33 = msg("httpproxy:24", part33); + + var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_exit related message."), + dup11, + dup2, + ])); + + var msg34 = msg("httpproxy:25", part34); + + var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_zap related message."), + dup11, + dup2, + ])); + + var msg35 = msg("httpproxy:26", part35); + + var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scanner_init related message."), + dup11, + dup2, + ])); + + var msg36 = msg("httpproxy:27", part36); + + var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { + "action": "action", + "ad_domain": "fld1", + "app-id": "fld18", + "application": "fld17", + "auth": "fld10", + "authtime": "fld4", + "avscantime": "fld7", + "cached": "fld2", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld6", + "content-type": "content_type", + "device": "fld9", + "dnstime": "fld5", + "dstip": "daddr", + "error": "result", + "exceptions": "fld12", + "extension": "fld13", + "file": "filename", + "filename": "filename", + "filteraction": "fld3", + "fullreqtime": "fld8", + "function": "action", + "group": "group", + "id": "rule", + "line": "fld14", + "message": "context", + "method": "web_method", + "name": "event_description", + "profile": "policyname", + "reason": "rule_group", + "referer": "web_referer", + "reputation": "fld16", + "request": "connectionid", + "severity": "severity", + "size": "rbytes", + "srcip": "saddr", + "statuscode": "resultcode", + "sub": "network_service", + "sys": "vsys", + "time": "fld15", + "ua": "fld11", + "url": "url", + "user": "username", + }, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg37 = msg("httpproxy:01", part37); + + var select3 = linear_select([ + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + ]); + + var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg38 = msg("URID:01", part38); + + var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { + "action": "action", + "code": "fld30", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "fwrule": "policy_id", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "name": "event_description", + "outitf": "dinterface", + "prec": "fld27", + "proto": "fld24", + "seq": "fld23", + "severity": "severity", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub": "network_service", + "sys": "vsys", + "tcpflags": "fld29", + "tos": "fld26", + "ttl": "fld28", + "type": "fld31", + }, processor_chain([ + dup13, + setc("ec_subject","NetworkComm"), + setc("ec_activity","Scan"), + setc("ec_theme","TEV"), + dup11, + dup2, + dup45, + dup46, + ])); + + var msg39 = msg("ulogd:01", part39); + + var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ + dup6, + setc("disposition","configured"), + dup2, + dup3, + ])); + + var msg40 = msg("reverseproxy:01", part40); + + var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg41 = msg("reverseproxy:02", part41); + + var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg42 = msg("reverseproxy:03", part42); + + var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ + dup17, + setc("event_id","AH00292"), + dup2, + dup3, + ])); + + var msg43 = msg("reverseproxy:04", part43); + + var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ + setc("eventcategory","1805010000"), + dup18, + dup2, + dup3, + ])); + + var msg44 = msg("reverseproxy:06", part44); + + var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); + + var select4 = linear_select([ + dup19, + ]); + + var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); + + var all1 = all_match({ + processors: [ + part45, + select4, + part46, + ], + on_success: processor_chain([ + dup5, + setc("event_id","AH00297"), + dup2, + dup3, + ]), + }); + + var msg45 = msg("reverseproxy:07", all1); + + var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ + dup4, + setc("event_id","AH00112"), + dup2, + dup3, + ])); + + var msg46 = msg("reverseproxy:08", part47); + + var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ + setc("eventcategory","1605010000"), + setc("event_id","AH00094"), + dup2, + dup3, + ])); + + var msg47 = msg("reverseproxy:09", part48); + + var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ + dup12, + setc("event_id","AH00291"), + dup2, + dup3, + ])); + + var msg48 = msg("reverseproxy:10", part49); + + var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ + dup20, + setc("event_id","AH02572"), + dup2, + dup3, + ])); + + var msg49 = msg("reverseproxy:11", part50); + + var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ + dup20, + setc("context","SSL Library Error"), + dup2, + dup3, + ])); + + var msg50 = msg("reverseproxy:12", part51); + + var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ + dup20, + setc("result","Fatal error"), + setc("event_id","AH02312"), + dup2, + dup3, + ])); + + var msg51 = msg("reverseproxy:13", part52); + + var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ + dup20, + setc("result","Configuration Failed"), + setc("event_id","AH00020"), + dup2, + dup3, + ])); + + var msg52 = msg("reverseproxy:14", part53); + + var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ + setc("eventcategory","1609000000"), + setc("context","Unclean shutdown"), + setc("event_id","AH00098"), + dup2, + dup3, + ])); + + var msg53 = msg("reverseproxy:15", part54); + + var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ + dup16, + setc("event_id","AH00295"), + dup2, + dup3, + ])); + + var msg54 = msg("reverseproxy:16", part55); + + var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); + + var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); + + var select5 = linear_select([ + part57, + dup19, + ]); + + var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + + var all2 = all_match({ + processors: [ + part56, + select5, + part58, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + ]), + }); + + var msg55 = msg("reverseproxy:17", all2); + + var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ + dup4, + dup22, + dup2, + dup3, + ])); + + var msg56 = msg("reverseproxy:18", part59); + + var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ + dup23, + dup22, + dup2, + dup3, + ])); + + var msg57 = msg("reverseproxy:19", part60); + + var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg58 = msg("reverseproxy:20", part61); + + var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ + dup20, + dup18, + setc("event_id","AH01909"), + dup2, + dup3, + ])); + + var msg59 = msg("reverseproxy:21", part62); + + var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ + dup20, + setc("comments","Invalid port configuration"), + dup2, + dup3, + ])); + + var msg60 = msg("reverseproxy:22", part63); + + var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg61 = msg("reverseproxy:23", part64); + + var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg62 = msg("reverseproxy:24", part65); + + var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg63 = msg("reverseproxy:25", part66); + + var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); + + var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); + + var select6 = linear_select([ + part68, + dup19, + ]); + + var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); + + var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); + + var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); + + var select7 = linear_select([ + part70, + part71, + ]); + + var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + + var all3 = all_match({ + processors: [ + part67, + select6, + part69, + select7, + part72, + ], + on_success: processor_chain([ + dup24, + dup2, + dup3, + ]), + }); + + var msg64 = msg("reverseproxy:26", all3); + + var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg65 = msg("reverseproxy:27", part73); + + var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ + dup26, + setc("result","virus daemon error"), + dup2, + dup3, + ])); + + var msg66 = msg("reverseproxy:28", part74); + + var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ + dup27, + setc("result","virus found"), + dup2, + dup3, + ])); + + var msg67 = msg("reverseproxy:29", part75); + + var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ + dup24, + dup28, + dup2, + dup3, + ])); + + var msg68 = msg("reverseproxy:30", part76); + + var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ + dup25, + setc("result","Cannot read reply"), + dup2, + dup3, + ])); + + var msg69 = msg("reverseproxy:31", part77); + + var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg70 = msg("reverseproxy:32", part78); + + var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg71 = msg("reverseproxy:33", part79); + + var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ + dup26, + dup29, + dup2, + dup3, + ])); + + var msg72 = msg("reverseproxy:34", part80); + + var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ + dup26, + dup29, + dup2, + dup3, + ])); + + var msg73 = msg("reverseproxy:35", part81); + + var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ + dup27, + setc("result","Virus found"), + dup2, + dup3, + ])); + + var msg74 = msg("reverseproxy:36", part82); + + var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ + dup24, + dup28, + dup2, + dup3, + ])); + + var msg75 = msg("reverseproxy:37", part83); + + var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg76 = msg("reverseproxy:38", part84); + + var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ + dup23, + setc("result","Form validation failed"), + dup2, + dup3, + ])); + + var msg77 = msg("reverseproxy:39", part85); + + var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ + dup25, + setc("result","Sending trickle failed"), + dup2, + dup3, + ])); + + var msg78 = msg("reverseproxy:40", part86); + + var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ + dup30, + dup2, + dup3, + ])); + + var msg79 = msg("reverseproxy:41", part87); + + var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ + setc("eventcategory","1603050000"), + dup2, + dup3, + ])); + + var msg80 = msg("reverseproxy:42", part88); + + var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ + dup30, + setc("event_id","AH01110"), + setc("result","Error reading response"), + dup2, + dup3, + ])); + + var msg81 = msg("reverseproxy:43", part89); + + var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1601020000"), + setc("result","No form context found"), + dup2, + dup3, + ])); + + var msg82 = msg("reverseproxy:44", part90); + + var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ + dup25, + setc("event_id","AH00957"), + dup2, + dup3, + ])); + + var msg83 = msg("reverseproxy:45", part91); + + var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ + dup16, + setc("event_id","AH00959"), + setc("result","disabling worker"), + dup2, + dup3, + ])); + + var msg84 = msg("reverseproxy:46", part92); + + var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1801000000"), + setc("context","Not all file sent to client"), + dup2, + dup3, + ])); + + var msg85 = msg("reverseproxy:47", part93); + + var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, + ])); + + var msg86 = msg("reverseproxy:48", part94); + + var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, + ])); + + var msg87 = msg("reverseproxy:49", part95); + + var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { + "cookie": "web_cookie", + "exceptions": "policy_waiver", + "extra": "info", + "host": "dhost", + "id": "policy_id", + "localip": "fld3", + "method": "web_method", + "reason": "comments", + "referer": "web_referer", + "server": "daddr", + "set-cookie": "fld5", + "size": "fld4", + "srcip": "saddr", + "statuscode": "resultcode", + "time": "processing_time", + "url": "web_root", + "user": "username", + }, processor_chain([ + setc("eventcategory","1802000000"), + dup2, + dup3, + ])); + + var msg88 = msg("reverseproxy:05", part96); + + var select8 = linear_select([ + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + ]); + + var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { + "id": "fld5", + "name": "event_description", + "severity": "severity", + "sub": "service", + "sys": "fld2", + }, processor_chain([ + dup1, + dup11, + dup2, + ])); + + var msg89 = msg("confd-sync", part97); + + var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { + "account": "logon_id", + "attributes": "obj_name", + "class": "group_object", + "client": "fld3", + "count": "fld4", + "facility": "logon_type", + "id": "fld1", + "name": "event_description", + "node": "node", + "object": "fld6", + "severity": "severity", + "srcip": "saddr", + "storage": "directory", + "sub": "service", + "sys": "fld2", + "type": "obj_type", + "user": "username", + "version": "version", + }, processor_chain([ + dup1, + dup11, + dup2, + ])); + + var msg90 = msg("confd:01", part98); + + var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy Frox started."), + dup11, + dup2, + ])); + + var msg91 = msg("frox", part99); + + var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy listening on port."), + dup11, + dup2, + ])); + + var msg92 = msg("frox:01", part100); + + var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy dropped priveleges."), + dup11, + dup2, + ])); + + var msg93 = msg("frox:02", part101); + + var select9 = linear_select([ + msg91, + msg92, + msg93, + ]); + + var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ + dup12, + setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), + dup11, + dup2, + ])); + + var msg94 = msg("afcd", part102); + + var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ + dup12, + setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), + dup11, + dup2, + ])); + + var msg95 = msg("ipsec_starter", part103); + + var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ + dup12, + setc("event_description","ipsec_starter: IP address or index of physical interface changed."), + dup11, + dup2, + ])); + + var msg96 = msg("ipsec_starter:01", part104); + + var select10 = linear_select([ + msg95, + msg96, + ]); + + var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: Starting Pluto."), + dup11, + dup2, + ])); + + var msg97 = msg("pluto", part105); + + var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: including NAT-Traversal patch."), + dup11, + dup2, + ])); + + var msg98 = msg("pluto:01", part106); + + var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating encryption algorithm."), + dup11, + dup2, + ])); + + var msg99 = msg("pluto:02", part107); + + var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating hash algorithm."), + dup11, + dup2, + ])); + + var msg100 = msg("pluto:03", part108); + + var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ + dup12, + setc("event_description","pluto: Testing registered IKE encryption algorithms"), + dup11, + dup2, + ])); + + var msg101 = msg("pluto:04", part109); + + var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test not available."), + dup11, + dup2, + ])); + + var msg102 = msg("pluto:05", part110); + + var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test passed."), + dup11, + dup2, + ])); + + var msg103 = msg("pluto:06", part111); + + var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ + dup12, + setc("event_description","pluto: Using KLIPS IPsec interface code"), + dup11, + dup2, + ])); + + var msg104 = msg("pluto:07", part112); + + var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","pluto: adding interface"), + dup11, + dup2, + ])); + + var msg105 = msg("pluto:08", part113); + + var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ + dup34, + setc("event_description","pluto: loading secrets"), + dup11, + dup2, + ])); + + var msg106 = msg("pluto:09", part114); + + var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ + dup34, + setc("event_description","pluto: loaded private key file"), + dup11, + dup2, + ])); + + var msg107 = msg("pluto:10", part115); + + var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ + dup12, + setc("event_description","pluto: added connection description"), + dup11, + dup2, + ])); + + var msg108 = msg("pluto:11", part116); + + var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, + ])); + + var msg109 = msg("pluto:12", part117); + + var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup10, + dup36, + dup11, + dup2, + ])); + + var msg110 = msg("pluto:13", part118); + + var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, + ])); + + var msg111 = msg("pluto:14", part119); + + var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ + dup12, + setc("event_description","pluto:forgetting secrets"), + dup11, + dup2, + ])); + + var msg112 = msg("pluto:15", part120); + + var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ + dup12, + setc("event_description","pluto:Changing to directory"), + dup11, + dup2, + ])); + + var msg113 = msg("pluto:17", part121); + + var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ + dup12, + setc("event_description","pluto:*time to handle event"), + dup11, + dup2, + ])); + + var msg114 = msg("pluto:18", part122); + + var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ + dup12, + setc("event_description","pluto:*received kernel message"), + dup11, + dup2, + ])); + + var msg115 = msg("pluto:19", part123); + + var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ + dup25, + setc("event_description","pluto:rejected packet"), + dup11, + dup2, + ])); + + var msg116 = msg("pluto:20", part124); + + var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg117 = msg("pluto:21", part125); + + var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg118 = msg("pluto:22", part126); + + var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg119 = msg("pluto:23", part127); + + var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg120 = msg("pluto:24", part128); + + var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg121 = msg("pluto:25", part129); + + var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg122 = msg("pluto:26", part130); + + var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg123 = msg("pluto:27", part131); + + var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg124 = msg("pluto:28", part132); + + var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg125 = msg("pluto:29", part133); + + var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg126 = msg("pluto:30", part134); + + var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg127 = msg("pluto:31", part135); + + var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ + dup12, + setc("event_description","not authenticated"), + dup11, + dup2, + ])); + + var msg128 = msg("pluto:32", part136); + + var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, + ])); + + var msg129 = msg("pluto:33", part137); + + var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup12, + dup36, + dup11, + dup2, + ])); + + var msg130 = msg("pluto:34", part138); + + var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, + ])); + + var msg131 = msg("pluto:35", part139); + + var select11 = linear_select([ + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + ]); + + var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","xl2tpd:This binary does not support kernel L2TP."), + dup11, + dup2, + ])); + + var msg132 = msg("xl2tpd", part140); + + var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ + dup12, + setc("event_description","xl2tpd:xl2tpd started."), + dup11, + dup2, + ])); + + var msg133 = msg("xl2tpd:01", part141); + + var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg134 = msg("xl2tpd:02", part142); + + var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg135 = msg("xl2tpd:03", part143); + + var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg136 = msg("xl2tpd:04", part144); + + var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg137 = msg("xl2tpd:05", part145); + + var select12 = linear_select([ + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + ]); + + var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ + dup12, + setc("event_description","barnyard: Exiting"), + dup11, + dup2, + ])); + + var msg138 = msg("barnyard:01", part146); + + var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Initializing daemon mode"), + dup11, + dup2, + ])); + + var msg139 = msg("barnyard:02", part147); + + var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ + dup12, + setc("event_description","barnyard:Opened spool file."), + dup11, + dup2, + ])); + + var msg140 = msg("barnyard:03", part148); + + var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Waiting for new data"), + dup11, + dup2, + ])); + + var msg141 = msg("barnyard:04", part149); + + var select13 = linear_select([ + msg138, + msg139, + msg140, + msg141, + ]); + + var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ + dup12, + setc("event_description","exim:SMTP connection from localhost closed by QUIT"), + dup11, + dup2, + ])); + + var msg142 = msg("exim:01", part150); + + var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ + setc("eventcategory","1207010000"), + setc("event_description","exim:e-mail accepted from relay."), + dup11, + dup2, + ])); + + var msg143 = msg("exim:02", part151); + + var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ + setc("eventcategory","1207000000"), + setc("event_description","exim: e-mail sent."), + dup11, + dup2, + ])); + + var msg144 = msg("exim:03", part152); + + var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ + dup39, + setc("event_description","exim: e-mail host lookup did not complete in DNS."), + dup11, + dup2, + ])); + + var msg145 = msg("exim:04", part153); + + var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ + dup39, + setc("event_description","exim: e-mail routing defer:retry time not reached."), + dup11, + dup2, + ])); + + var msg146 = msg("exim:05", part154); + + var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ + dup12, + setc("event_description","exim: exim daemon started."), + dup11, + dup2, + ])); + + var msg147 = msg("exim:06", part155); + + var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ + dup12, + setc("event_description","exim: Start queue run."), + dup11, + dup2, + ])); + + var msg148 = msg("exim:07", part156); + + var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ + dup12, + setc("event_description","exim: SIGHUP received: re-exec daemon."), + dup11, + dup2, + ])); + + var msg149 = msg("exim:08", part157); + + var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim: SMTP connection from host."), + dup11, + dup2, + ])); + + var msg150 = msg("exim:09", part158); + + var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:rejected EHLO from host."), + dup11, + dup2, + ])); + + var msg151 = msg("exim:10", part159); + + var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), + dup11, + dup2, + ])); + + var msg152 = msg("exim:11", part160); + + var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:TLS error on connection from host."), + dup11, + dup2, + ])); + + var msg153 = msg("exim:12", part161); + + var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg154 = msg("exim:13", part162); + + var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg155 = msg("exim:14", part163); + + var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg156 = msg("exim:15", part164); + + var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg157 = msg("exim:16", part165); + + var select14 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, + ]); + + var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ + dup12, + setc("event_description","smtpd: Process moved to work queue."), + dup11, + dup2, + ])); + + var msg158 = msg("smtpd:01", part166); + + var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ + setc("eventcategory","1207010100"), + dup11, + dup2, + ])); + + var msg159 = msg("smtpd:02", part167); + + var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ + dup12, + setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), + dup11, + dup2, + ])); + + var msg160 = msg("smtpd:03", part168); + + var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), + dup11, + dup2, + ])); + + var msg161 = msg("smtpd:04", part169); + + var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), + dup11, + dup2, + ])); + + var msg162 = msg("smtpd:07", part170); + + var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), + dup11, + dup2, + ])); + + var msg163 = msg("smtpd:05", part171); + + var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:Sending QR one."), + dup11, + dup2, + ])); + + var msg164 = msg("smtpd:06", part172); + + var select15 = linear_select([ + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + ]); + + var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ + dup10, + setc("event_description","sshd: Did not receive identification string."), + dup11, + dup2, + ])); + + var msg165 = msg("sshd:01", part173); + + var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ + dup12, + setc("event_description","sshd:Received SIGHUP restarting."), + dup11, + dup2, + ])); + + var msg166 = msg("sshd:02", part174); + + var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ + dup12, + setc("event_description","sshd:Server listening; restarting."), + dup11, + dup2, + ])); + + var msg167 = msg("sshd:03", part175); + + var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ + dup41, + setc("event_description","sshd:Invalid user admin."), + dup11, + dup2, + ])); + + var msg168 = msg("sshd:04", part176); + + var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed none for invalid user admin."), + dup11, + dup2, + ])); + + var msg169 = msg("sshd:05", part177); + + var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ + dup10, + setc("event_description","sshd:error:Could not get shadow information for NOUSER"), + dup11, + dup2, + ])); + + var msg170 = msg("sshd:06", part178); + + var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed password for root."), + dup11, + dup2, + ])); + + var msg171 = msg("sshd:07", part179); + + var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + setc("eventcategory","1302000000"), + setc("event_description","sshd:Accepted password for loginuser."), + dup11, + dup2, + ])); + + var msg172 = msg("sshd:08", part180); + + var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ + dup10, + setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), + dup11, + dup2, + ])); + + var msg173 = msg("sshd:09", part181); + + var select16 = linear_select([ + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + ]); + + var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { + "caller": "fld4", + "engine": "fld5", + "id": "fld1", + "name": "event_description", + "severity": "severity", + "srcip": "saddr", + "sub": "service", + "sys": "fld2", + "user": "username", + }, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg174 = msg("aua:01", part182); + + var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ + dup12, + setc("event_description","sockd: created new negotiatorchild."), + dup11, + dup2, + ])); + + var msg175 = msg("sockd:01", part183); + + var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ + dup12, + setc("event_description","sockd:dante/server running."), + dup11, + dup2, + ])); + + var msg176 = msg("sockd:02", part184); + + var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ + dup12, + setc("event_description","sockd:sockdexit():terminating on signal."), + dup11, + dup2, + ])); + + var msg177 = msg("sockd:03", part185); + + var select17 = linear_select([ + msg175, + msg176, + msg177, + ]); + + var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ + dup12, + setc("event_description","pop3proxy:Master started."), + dup11, + dup2, + ])); + + var msg178 = msg("pop3proxy", part186); + + var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "url": "url", + "user": "username", + "version": "version", + }, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg179 = msg("astarosg_TVM", part187); + + var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "port": "network_port", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "query": "web_query", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "uid": "uid", + "url": "url", + "user": "username", + "version": "version", + }, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg180 = msg("httpd", part188); + + var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ + setc("eventcategory","1502000000"), + dup2, + dup3, + ])); + + var msg181 = msg("httpd:01", part189); + + var select18 = linear_select([ + msg180, + msg181, + ]); + + var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { + "activityname": "fld9", + "appfilter_policy_id": "fld10", + "application": "application", + "application_category": "fld23", + "application_risk": "risk_num", + "application_technology": "fld11", + "appresolvedby": "fld22", + "category": "fld4", + "category_type": "fld5", + "connevent": "fld19", + "connid": "connectionid", + "contenttype": "content_type", + "dir_disp": "fld18", + "domain": "fqdn", + "dst_country_code": "location_dst", + "dst_ip": "daddr", + "dst_port": "dport", + "dstzone": "dst_zone", + "dstzonetype": "fld17", + "duration": "duration", + "exceptions": "fld8", + "fw_rule_id": "rule_uid", + "hb_health": "fld21", + "httpresponsecode": "fld7", + "iap": "id1", + "in_interface": "sinterface", + "ips_policy_id": "policy_id", + "log_component": "event_source", + "log_subtype": "category", + "log_type": "event_type", + "message": "info", + "out_interface": "dinterface", + "override_token": "fld6", + "policy_type": "fld23", + "priority": "severity", + "protocol": "protocol", + "reason": "result", + "recv_bytes": "rbytes", + "recv_pkts": "fld15", + "referer": "web_referer", + "sent_bytes": "sbytes", + "sent_pkts": "fld14", + "src_country_code": "location_src", + "src_ip": "saddr", + "src_mac": "smacaddr", + "src_port": "sport", + "srczone": "src_zone", + "srczonetype": "fld16", + "status": "event_state", + "status_code": "resultcode", + "tran_dst_ip": "dtransaddr", + "tran_dst_port": "dtransport", + "tran_src_ip": "stransaddr", + "tran_src_port": "stransport", + "transactionid": "id2", + "url": "url", + "user_agent": "user_agent", + "user_gp": "group", + "user_name": "username", + "vconnid": "fld20", + }, processor_chain([ + setc("eventcategory","1204000000"), + dup2, + date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], + ], + }), + ])); + + var msg182 = msg("Sophos_Firewall", part190); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "Sophos_Firewall": msg182, + "URID": msg38, + "afcd": msg94, + "astarosg_TVM": msg179, + "aua": msg174, + "barnyard": select13, + "confd": msg90, + "confd-sync": msg89, + "exim": select14, + "frox": select9, + "httpd": select18, + "httpproxy": select3, + "ipsec_starter": select10, + "named": select2, + "pluto": select11, + "pop3proxy": msg178, + "reverseproxy": select8, + "smtpd": select15, + "sockd": select17, + "sshd": select16, + "ulogd": msg39, + "xl2tpd": select12, + }), + ]); + + var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sophos/2.2.1/data_stream/utm/agent/stream/udp.yml.hbs b/packages/sophos/2.2.1/data_stream/utm/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..cef2ed2295 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/agent/stream/udp.yml.hbs @@ -0,0 +1,5069 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sophos" + product: "UTM" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ + setc("header_id","0003"), + setc("messageid","reverseproxy"), + ])); + + var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0004"), + setc("messageid","astarosg_TVM"), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0006"), + setc("messageid","Sophos_Firewall"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var msg1 = msg("named:01", part1); + + var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var msg2 = msg("named:02", part2); + + var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg3 = msg("named:03", part3); + + var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ + dup5, + dup2, + dup3, + ])); + + var msg4 = msg("named:04", part4); + + var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg5 = msg("named:05", part5); + + var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ + setc("eventcategory","1804000000"), + dup2, + dup3, + ])); + + var msg6 = msg("named:06", part6); + + var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg7 = msg("named:07", part7); + + var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg8 = msg("named:08", part8); + + var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ + dup7, + dup2, + dup3, + setc("action","reloading"), + ])); + + var msg9 = msg("named:09", part9); + + var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ + dup7, + dup9, + dup2, + dup3, + ])); + + var msg10 = msg("named:10", part10); + + var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ + dup7, + dup9, + dup2, + dup3, + setc("action","all zones loaded"), + ])); + + var msg11 = msg("named:11", part11); + + var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ + dup7, + setc("disposition","running"), + dup2, + dup3, + setc("action","running"), + ])); + + var msg12 = msg("named:12", part12); + + var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ + dup7, + setc("context","built-in root key"), + dup2, + dup3, + ])); + + var msg13 = msg("named:13", part13); + + var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg14 = msg("named:14", part14); + + var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ + dup10, + setc("event_description","named:too many timeouts resolving DNS."), + dup11, + dup2, + ])); + + var msg15 = msg("named:15", part15); + + var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:FORMERR resolving DNS."), + dup11, + dup2, + ])); + + var msg16 = msg("named:16", part16); + + var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), + dup11, + dup2, + ])); + + var msg17 = msg("named:17", part17); + + var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + ]); + + var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ + dup12, + setc("event_description","httpproxy:Integrated HTTP-Proxy."), + dup11, + dup2, + ])); + + var msg18 = msg("httpproxy:09", part18); + + var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ + dup10, + setc("event_description","httpproxy:Name or service not known."), + dup11, + dup2, + ])); + + var msg19 = msg("httpproxy:10", part19); + + var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ + dup10, + setc("event_description","httpproxy:failed to resolve passthrough."), + dup11, + dup2, + ])); + + var msg20 = msg("httpproxy:11", part20); + + var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ + dup10, + setc("event_description","httpproxy:ssl handshake failure."), + dup11, + dup2, + ])); + + var msg21 = msg("httpproxy:12", part21); + + var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ + dup10, + setc("event_description","httpproxy:EVP_DecryptFinal failed."), + dup11, + dup2, + ])); + + var msg22 = msg("httpproxy:13", part22); + + var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ + dup10, + setc("event_description","httpproxy:decrypt failed."), + dup11, + dup2, + ])); + + var msg23 = msg("httpproxy:14", part23); + + var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:reloading av pattern"), + dup11, + dup2, + ])); + + var msg24 = msg("httpproxy:15", part24); + + var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ + dup12, + setc("event_description","httpproxy:sc_check_servers.Server checked."), + dup11, + dup2, + ])); + + var msg25 = msg("httpproxy:16", part25); + + var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ + dup12, + setc("event_description","httpproxy:shutdown finished, exiting."), + dup11, + dup2, + ])); + + var msg26 = msg("httpproxy:17", part26); + + var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ + dup12, + setc("event_description","httpproxy:"), + dup11, + dup2, + ])); + + var msg27 = msg("httpproxy:18", part27); + + var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ + dup12, + setc("event_description","httpproxy:reading profiles"), + dup11, + dup2, + ])); + + var msg28 = msg("httpproxy:19", part28); + + var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ + dup12, + setc("event_description","httpproxy:finished startup"), + dup11, + dup2, + ])); + + var msg29 = msg("httpproxy:20", part29); + + var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:read_request_headers related message."), + dup11, + dup2, + ])); + + var msg30 = msg("httpproxy:21", part30); + + var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_loop related message."), + dup11, + dup2, + ])); + + var msg31 = msg("httpproxy:22", part31); + + var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scan_exit related message."), + dup11, + dup2, + ])); + + var msg32 = msg("httpproxy:23", part32); + + var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_exit related message."), + dup11, + dup2, + ])); + + var msg33 = msg("httpproxy:24", part33); + + var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_exit related message."), + dup11, + dup2, + ])); + + var msg34 = msg("httpproxy:25", part34); + + var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_zap related message."), + dup11, + dup2, + ])); + + var msg35 = msg("httpproxy:26", part35); + + var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scanner_init related message."), + dup11, + dup2, + ])); + + var msg36 = msg("httpproxy:27", part36); + + var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { + "action": "action", + "ad_domain": "fld1", + "app-id": "fld18", + "application": "fld17", + "auth": "fld10", + "authtime": "fld4", + "avscantime": "fld7", + "cached": "fld2", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld6", + "content-type": "content_type", + "device": "fld9", + "dnstime": "fld5", + "dstip": "daddr", + "error": "result", + "exceptions": "fld12", + "extension": "fld13", + "file": "filename", + "filename": "filename", + "filteraction": "fld3", + "fullreqtime": "fld8", + "function": "action", + "group": "group", + "id": "rule", + "line": "fld14", + "message": "context", + "method": "web_method", + "name": "event_description", + "profile": "policyname", + "reason": "rule_group", + "referer": "web_referer", + "reputation": "fld16", + "request": "connectionid", + "severity": "severity", + "size": "rbytes", + "srcip": "saddr", + "statuscode": "resultcode", + "sub": "network_service", + "sys": "vsys", + "time": "fld15", + "ua": "fld11", + "url": "url", + "user": "username", + }, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg37 = msg("httpproxy:01", part37); + + var select3 = linear_select([ + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + ]); + + var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg38 = msg("URID:01", part38); + + var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { + "action": "action", + "code": "fld30", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "fwrule": "policy_id", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "name": "event_description", + "outitf": "dinterface", + "prec": "fld27", + "proto": "fld24", + "seq": "fld23", + "severity": "severity", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub": "network_service", + "sys": "vsys", + "tcpflags": "fld29", + "tos": "fld26", + "ttl": "fld28", + "type": "fld31", + }, processor_chain([ + dup13, + setc("ec_subject","NetworkComm"), + setc("ec_activity","Scan"), + setc("ec_theme","TEV"), + dup11, + dup2, + dup45, + dup46, + ])); + + var msg39 = msg("ulogd:01", part39); + + var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ + dup6, + setc("disposition","configured"), + dup2, + dup3, + ])); + + var msg40 = msg("reverseproxy:01", part40); + + var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg41 = msg("reverseproxy:02", part41); + + var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg42 = msg("reverseproxy:03", part42); + + var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ + dup17, + setc("event_id","AH00292"), + dup2, + dup3, + ])); + + var msg43 = msg("reverseproxy:04", part43); + + var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ + setc("eventcategory","1805010000"), + dup18, + dup2, + dup3, + ])); + + var msg44 = msg("reverseproxy:06", part44); + + var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); + + var select4 = linear_select([ + dup19, + ]); + + var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); + + var all1 = all_match({ + processors: [ + part45, + select4, + part46, + ], + on_success: processor_chain([ + dup5, + setc("event_id","AH00297"), + dup2, + dup3, + ]), + }); + + var msg45 = msg("reverseproxy:07", all1); + + var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ + dup4, + setc("event_id","AH00112"), + dup2, + dup3, + ])); + + var msg46 = msg("reverseproxy:08", part47); + + var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ + setc("eventcategory","1605010000"), + setc("event_id","AH00094"), + dup2, + dup3, + ])); + + var msg47 = msg("reverseproxy:09", part48); + + var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ + dup12, + setc("event_id","AH00291"), + dup2, + dup3, + ])); + + var msg48 = msg("reverseproxy:10", part49); + + var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ + dup20, + setc("event_id","AH02572"), + dup2, + dup3, + ])); + + var msg49 = msg("reverseproxy:11", part50); + + var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ + dup20, + setc("context","SSL Library Error"), + dup2, + dup3, + ])); + + var msg50 = msg("reverseproxy:12", part51); + + var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ + dup20, + setc("result","Fatal error"), + setc("event_id","AH02312"), + dup2, + dup3, + ])); + + var msg51 = msg("reverseproxy:13", part52); + + var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ + dup20, + setc("result","Configuration Failed"), + setc("event_id","AH00020"), + dup2, + dup3, + ])); + + var msg52 = msg("reverseproxy:14", part53); + + var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ + setc("eventcategory","1609000000"), + setc("context","Unclean shutdown"), + setc("event_id","AH00098"), + dup2, + dup3, + ])); + + var msg53 = msg("reverseproxy:15", part54); + + var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ + dup16, + setc("event_id","AH00295"), + dup2, + dup3, + ])); + + var msg54 = msg("reverseproxy:16", part55); + + var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); + + var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); + + var select5 = linear_select([ + part57, + dup19, + ]); + + var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + + var all2 = all_match({ + processors: [ + part56, + select5, + part58, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + ]), + }); + + var msg55 = msg("reverseproxy:17", all2); + + var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ + dup4, + dup22, + dup2, + dup3, + ])); + + var msg56 = msg("reverseproxy:18", part59); + + var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ + dup23, + dup22, + dup2, + dup3, + ])); + + var msg57 = msg("reverseproxy:19", part60); + + var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg58 = msg("reverseproxy:20", part61); + + var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ + dup20, + dup18, + setc("event_id","AH01909"), + dup2, + dup3, + ])); + + var msg59 = msg("reverseproxy:21", part62); + + var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ + dup20, + setc("comments","Invalid port configuration"), + dup2, + dup3, + ])); + + var msg60 = msg("reverseproxy:22", part63); + + var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg61 = msg("reverseproxy:23", part64); + + var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg62 = msg("reverseproxy:24", part65); + + var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, + ])); + + var msg63 = msg("reverseproxy:25", part66); + + var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); + + var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); + + var select6 = linear_select([ + part68, + dup19, + ]); + + var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); + + var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); + + var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); + + var select7 = linear_select([ + part70, + part71, + ]); + + var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + + var all3 = all_match({ + processors: [ + part67, + select6, + part69, + select7, + part72, + ], + on_success: processor_chain([ + dup24, + dup2, + dup3, + ]), + }); + + var msg64 = msg("reverseproxy:26", all3); + + var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg65 = msg("reverseproxy:27", part73); + + var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ + dup26, + setc("result","virus daemon error"), + dup2, + dup3, + ])); + + var msg66 = msg("reverseproxy:28", part74); + + var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ + dup27, + setc("result","virus found"), + dup2, + dup3, + ])); + + var msg67 = msg("reverseproxy:29", part75); + + var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ + dup24, + dup28, + dup2, + dup3, + ])); + + var msg68 = msg("reverseproxy:30", part76); + + var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ + dup25, + setc("result","Cannot read reply"), + dup2, + dup3, + ])); + + var msg69 = msg("reverseproxy:31", part77); + + var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg70 = msg("reverseproxy:32", part78); + + var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg71 = msg("reverseproxy:33", part79); + + var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ + dup26, + dup29, + dup2, + dup3, + ])); + + var msg72 = msg("reverseproxy:34", part80); + + var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ + dup26, + dup29, + dup2, + dup3, + ])); + + var msg73 = msg("reverseproxy:35", part81); + + var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ + dup27, + setc("result","Virus found"), + dup2, + dup3, + ])); + + var msg74 = msg("reverseproxy:36", part82); + + var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ + dup24, + dup28, + dup2, + dup3, + ])); + + var msg75 = msg("reverseproxy:37", part83); + + var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ + dup25, + dup2, + dup3, + ])); + + var msg76 = msg("reverseproxy:38", part84); + + var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ + dup23, + setc("result","Form validation failed"), + dup2, + dup3, + ])); + + var msg77 = msg("reverseproxy:39", part85); + + var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ + dup25, + setc("result","Sending trickle failed"), + dup2, + dup3, + ])); + + var msg78 = msg("reverseproxy:40", part86); + + var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ + dup30, + dup2, + dup3, + ])); + + var msg79 = msg("reverseproxy:41", part87); + + var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ + setc("eventcategory","1603050000"), + dup2, + dup3, + ])); + + var msg80 = msg("reverseproxy:42", part88); + + var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ + dup30, + setc("event_id","AH01110"), + setc("result","Error reading response"), + dup2, + dup3, + ])); + + var msg81 = msg("reverseproxy:43", part89); + + var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1601020000"), + setc("result","No form context found"), + dup2, + dup3, + ])); + + var msg82 = msg("reverseproxy:44", part90); + + var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ + dup25, + setc("event_id","AH00957"), + dup2, + dup3, + ])); + + var msg83 = msg("reverseproxy:45", part91); + + var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ + dup16, + setc("event_id","AH00959"), + setc("result","disabling worker"), + dup2, + dup3, + ])); + + var msg84 = msg("reverseproxy:46", part92); + + var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1801000000"), + setc("context","Not all file sent to client"), + dup2, + dup3, + ])); + + var msg85 = msg("reverseproxy:47", part93); + + var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, + ])); + + var msg86 = msg("reverseproxy:48", part94); + + var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, + ])); + + var msg87 = msg("reverseproxy:49", part95); + + var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { + "cookie": "web_cookie", + "exceptions": "policy_waiver", + "extra": "info", + "host": "dhost", + "id": "policy_id", + "localip": "fld3", + "method": "web_method", + "reason": "comments", + "referer": "web_referer", + "server": "daddr", + "set-cookie": "fld5", + "size": "fld4", + "srcip": "saddr", + "statuscode": "resultcode", + "time": "processing_time", + "url": "web_root", + "user": "username", + }, processor_chain([ + setc("eventcategory","1802000000"), + dup2, + dup3, + ])); + + var msg88 = msg("reverseproxy:05", part96); + + var select8 = linear_select([ + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + ]); + + var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { + "id": "fld5", + "name": "event_description", + "severity": "severity", + "sub": "service", + "sys": "fld2", + }, processor_chain([ + dup1, + dup11, + dup2, + ])); + + var msg89 = msg("confd-sync", part97); + + var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { + "account": "logon_id", + "attributes": "obj_name", + "class": "group_object", + "client": "fld3", + "count": "fld4", + "facility": "logon_type", + "id": "fld1", + "name": "event_description", + "node": "node", + "object": "fld6", + "severity": "severity", + "srcip": "saddr", + "storage": "directory", + "sub": "service", + "sys": "fld2", + "type": "obj_type", + "user": "username", + "version": "version", + }, processor_chain([ + dup1, + dup11, + dup2, + ])); + + var msg90 = msg("confd:01", part98); + + var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy Frox started."), + dup11, + dup2, + ])); + + var msg91 = msg("frox", part99); + + var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy listening on port."), + dup11, + dup2, + ])); + + var msg92 = msg("frox:01", part100); + + var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy dropped priveleges."), + dup11, + dup2, + ])); + + var msg93 = msg("frox:02", part101); + + var select9 = linear_select([ + msg91, + msg92, + msg93, + ]); + + var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ + dup12, + setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), + dup11, + dup2, + ])); + + var msg94 = msg("afcd", part102); + + var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ + dup12, + setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), + dup11, + dup2, + ])); + + var msg95 = msg("ipsec_starter", part103); + + var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ + dup12, + setc("event_description","ipsec_starter: IP address or index of physical interface changed."), + dup11, + dup2, + ])); + + var msg96 = msg("ipsec_starter:01", part104); + + var select10 = linear_select([ + msg95, + msg96, + ]); + + var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: Starting Pluto."), + dup11, + dup2, + ])); + + var msg97 = msg("pluto", part105); + + var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: including NAT-Traversal patch."), + dup11, + dup2, + ])); + + var msg98 = msg("pluto:01", part106); + + var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating encryption algorithm."), + dup11, + dup2, + ])); + + var msg99 = msg("pluto:02", part107); + + var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating hash algorithm."), + dup11, + dup2, + ])); + + var msg100 = msg("pluto:03", part108); + + var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ + dup12, + setc("event_description","pluto: Testing registered IKE encryption algorithms"), + dup11, + dup2, + ])); + + var msg101 = msg("pluto:04", part109); + + var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test not available."), + dup11, + dup2, + ])); + + var msg102 = msg("pluto:05", part110); + + var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test passed."), + dup11, + dup2, + ])); + + var msg103 = msg("pluto:06", part111); + + var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ + dup12, + setc("event_description","pluto: Using KLIPS IPsec interface code"), + dup11, + dup2, + ])); + + var msg104 = msg("pluto:07", part112); + + var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","pluto: adding interface"), + dup11, + dup2, + ])); + + var msg105 = msg("pluto:08", part113); + + var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ + dup34, + setc("event_description","pluto: loading secrets"), + dup11, + dup2, + ])); + + var msg106 = msg("pluto:09", part114); + + var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ + dup34, + setc("event_description","pluto: loaded private key file"), + dup11, + dup2, + ])); + + var msg107 = msg("pluto:10", part115); + + var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ + dup12, + setc("event_description","pluto: added connection description"), + dup11, + dup2, + ])); + + var msg108 = msg("pluto:11", part116); + + var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, + ])); + + var msg109 = msg("pluto:12", part117); + + var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup10, + dup36, + dup11, + dup2, + ])); + + var msg110 = msg("pluto:13", part118); + + var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, + ])); + + var msg111 = msg("pluto:14", part119); + + var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ + dup12, + setc("event_description","pluto:forgetting secrets"), + dup11, + dup2, + ])); + + var msg112 = msg("pluto:15", part120); + + var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ + dup12, + setc("event_description","pluto:Changing to directory"), + dup11, + dup2, + ])); + + var msg113 = msg("pluto:17", part121); + + var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ + dup12, + setc("event_description","pluto:*time to handle event"), + dup11, + dup2, + ])); + + var msg114 = msg("pluto:18", part122); + + var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ + dup12, + setc("event_description","pluto:*received kernel message"), + dup11, + dup2, + ])); + + var msg115 = msg("pluto:19", part123); + + var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ + dup25, + setc("event_description","pluto:rejected packet"), + dup11, + dup2, + ])); + + var msg116 = msg("pluto:20", part124); + + var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg117 = msg("pluto:21", part125); + + var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg118 = msg("pluto:22", part126); + + var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg119 = msg("pluto:23", part127); + + var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg120 = msg("pluto:24", part128); + + var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg121 = msg("pluto:25", part129); + + var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg122 = msg("pluto:26", part130); + + var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg123 = msg("pluto:27", part131); + + var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg124 = msg("pluto:28", part132); + + var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg125 = msg("pluto:29", part133); + + var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg126 = msg("pluto:30", part134); + + var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg127 = msg("pluto:31", part135); + + var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ + dup12, + setc("event_description","not authenticated"), + dup11, + dup2, + ])); + + var msg128 = msg("pluto:32", part136); + + var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, + ])); + + var msg129 = msg("pluto:33", part137); + + var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup12, + dup36, + dup11, + dup2, + ])); + + var msg130 = msg("pluto:34", part138); + + var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, + ])); + + var msg131 = msg("pluto:35", part139); + + var select11 = linear_select([ + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + ]); + + var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","xl2tpd:This binary does not support kernel L2TP."), + dup11, + dup2, + ])); + + var msg132 = msg("xl2tpd", part140); + + var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ + dup12, + setc("event_description","xl2tpd:xl2tpd started."), + dup11, + dup2, + ])); + + var msg133 = msg("xl2tpd:01", part141); + + var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg134 = msg("xl2tpd:02", part142); + + var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg135 = msg("xl2tpd:03", part143); + + var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg136 = msg("xl2tpd:04", part144); + + var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ + dup12, + dup38, + dup11, + dup2, + ])); + + var msg137 = msg("xl2tpd:05", part145); + + var select12 = linear_select([ + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + ]); + + var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ + dup12, + setc("event_description","barnyard: Exiting"), + dup11, + dup2, + ])); + + var msg138 = msg("barnyard:01", part146); + + var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Initializing daemon mode"), + dup11, + dup2, + ])); + + var msg139 = msg("barnyard:02", part147); + + var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ + dup12, + setc("event_description","barnyard:Opened spool file."), + dup11, + dup2, + ])); + + var msg140 = msg("barnyard:03", part148); + + var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Waiting for new data"), + dup11, + dup2, + ])); + + var msg141 = msg("barnyard:04", part149); + + var select13 = linear_select([ + msg138, + msg139, + msg140, + msg141, + ]); + + var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ + dup12, + setc("event_description","exim:SMTP connection from localhost closed by QUIT"), + dup11, + dup2, + ])); + + var msg142 = msg("exim:01", part150); + + var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ + setc("eventcategory","1207010000"), + setc("event_description","exim:e-mail accepted from relay."), + dup11, + dup2, + ])); + + var msg143 = msg("exim:02", part151); + + var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ + setc("eventcategory","1207000000"), + setc("event_description","exim: e-mail sent."), + dup11, + dup2, + ])); + + var msg144 = msg("exim:03", part152); + + var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ + dup39, + setc("event_description","exim: e-mail host lookup did not complete in DNS."), + dup11, + dup2, + ])); + + var msg145 = msg("exim:04", part153); + + var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ + dup39, + setc("event_description","exim: e-mail routing defer:retry time not reached."), + dup11, + dup2, + ])); + + var msg146 = msg("exim:05", part154); + + var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ + dup12, + setc("event_description","exim: exim daemon started."), + dup11, + dup2, + ])); + + var msg147 = msg("exim:06", part155); + + var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ + dup12, + setc("event_description","exim: Start queue run."), + dup11, + dup2, + ])); + + var msg148 = msg("exim:07", part156); + + var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ + dup12, + setc("event_description","exim: SIGHUP received: re-exec daemon."), + dup11, + dup2, + ])); + + var msg149 = msg("exim:08", part157); + + var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim: SMTP connection from host."), + dup11, + dup2, + ])); + + var msg150 = msg("exim:09", part158); + + var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:rejected EHLO from host."), + dup11, + dup2, + ])); + + var msg151 = msg("exim:10", part159); + + var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), + dup11, + dup2, + ])); + + var msg152 = msg("exim:11", part160); + + var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:TLS error on connection from host."), + dup11, + dup2, + ])); + + var msg153 = msg("exim:12", part161); + + var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg154 = msg("exim:13", part162); + + var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg155 = msg("exim:14", part163); + + var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, + ])); + + var msg156 = msg("exim:15", part164); + + var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ + dup12, + dup11, + dup2, + ])); + + var msg157 = msg("exim:16", part165); + + var select14 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, + ]); + + var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ + dup12, + setc("event_description","smtpd: Process moved to work queue."), + dup11, + dup2, + ])); + + var msg158 = msg("smtpd:01", part166); + + var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ + setc("eventcategory","1207010100"), + dup11, + dup2, + ])); + + var msg159 = msg("smtpd:02", part167); + + var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ + dup12, + setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), + dup11, + dup2, + ])); + + var msg160 = msg("smtpd:03", part168); + + var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), + dup11, + dup2, + ])); + + var msg161 = msg("smtpd:04", part169); + + var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), + dup11, + dup2, + ])); + + var msg162 = msg("smtpd:07", part170); + + var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), + dup11, + dup2, + ])); + + var msg163 = msg("smtpd:05", part171); + + var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:Sending QR one."), + dup11, + dup2, + ])); + + var msg164 = msg("smtpd:06", part172); + + var select15 = linear_select([ + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + ]); + + var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ + dup10, + setc("event_description","sshd: Did not receive identification string."), + dup11, + dup2, + ])); + + var msg165 = msg("sshd:01", part173); + + var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ + dup12, + setc("event_description","sshd:Received SIGHUP restarting."), + dup11, + dup2, + ])); + + var msg166 = msg("sshd:02", part174); + + var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ + dup12, + setc("event_description","sshd:Server listening; restarting."), + dup11, + dup2, + ])); + + var msg167 = msg("sshd:03", part175); + + var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ + dup41, + setc("event_description","sshd:Invalid user admin."), + dup11, + dup2, + ])); + + var msg168 = msg("sshd:04", part176); + + var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed none for invalid user admin."), + dup11, + dup2, + ])); + + var msg169 = msg("sshd:05", part177); + + var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ + dup10, + setc("event_description","sshd:error:Could not get shadow information for NOUSER"), + dup11, + dup2, + ])); + + var msg170 = msg("sshd:06", part178); + + var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed password for root."), + dup11, + dup2, + ])); + + var msg171 = msg("sshd:07", part179); + + var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + setc("eventcategory","1302000000"), + setc("event_description","sshd:Accepted password for loginuser."), + dup11, + dup2, + ])); + + var msg172 = msg("sshd:08", part180); + + var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ + dup10, + setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), + dup11, + dup2, + ])); + + var msg173 = msg("sshd:09", part181); + + var select16 = linear_select([ + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + ]); + + var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { + "caller": "fld4", + "engine": "fld5", + "id": "fld1", + "name": "event_description", + "severity": "severity", + "srcip": "saddr", + "sub": "service", + "sys": "fld2", + "user": "username", + }, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg174 = msg("aua:01", part182); + + var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ + dup12, + setc("event_description","sockd: created new negotiatorchild."), + dup11, + dup2, + ])); + + var msg175 = msg("sockd:01", part183); + + var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ + dup12, + setc("event_description","sockd:dante/server running."), + dup11, + dup2, + ])); + + var msg176 = msg("sockd:02", part184); + + var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ + dup12, + setc("event_description","sockd:sockdexit():terminating on signal."), + dup11, + dup2, + ])); + + var msg177 = msg("sockd:03", part185); + + var select17 = linear_select([ + msg175, + msg176, + msg177, + ]); + + var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ + dup12, + setc("event_description","pop3proxy:Master started."), + dup11, + dup2, + ])); + + var msg178 = msg("pop3proxy", part186); + + var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "url": "url", + "user": "username", + "version": "version", + }, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg179 = msg("astarosg_TVM", part187); + + var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "port": "network_port", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "query": "web_query", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "uid": "uid", + "url": "url", + "user": "username", + "version": "version", + }, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, + ])); + + var msg180 = msg("httpd", part188); + + var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ + setc("eventcategory","1502000000"), + dup2, + dup3, + ])); + + var msg181 = msg("httpd:01", part189); + + var select18 = linear_select([ + msg180, + msg181, + ]); + + var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { + "activityname": "fld9", + "appfilter_policy_id": "fld10", + "application": "application", + "application_category": "fld23", + "application_risk": "risk_num", + "application_technology": "fld11", + "appresolvedby": "fld22", + "category": "fld4", + "category_type": "fld5", + "connevent": "fld19", + "connid": "connectionid", + "contenttype": "content_type", + "dir_disp": "fld18", + "domain": "fqdn", + "dst_country_code": "location_dst", + "dst_ip": "daddr", + "dst_port": "dport", + "dstzone": "dst_zone", + "dstzonetype": "fld17", + "duration": "duration", + "exceptions": "fld8", + "fw_rule_id": "rule_uid", + "hb_health": "fld21", + "httpresponsecode": "fld7", + "iap": "id1", + "in_interface": "sinterface", + "ips_policy_id": "policy_id", + "log_component": "event_source", + "log_subtype": "category", + "log_type": "event_type", + "message": "info", + "out_interface": "dinterface", + "override_token": "fld6", + "policy_type": "fld23", + "priority": "severity", + "protocol": "protocol", + "reason": "result", + "recv_bytes": "rbytes", + "recv_pkts": "fld15", + "referer": "web_referer", + "sent_bytes": "sbytes", + "sent_pkts": "fld14", + "src_country_code": "location_src", + "src_ip": "saddr", + "src_mac": "smacaddr", + "src_port": "sport", + "srczone": "src_zone", + "srczonetype": "fld16", + "status": "event_state", + "status_code": "resultcode", + "tran_dst_ip": "dtransaddr", + "tran_dst_port": "dtransport", + "tran_src_ip": "stransaddr", + "tran_src_port": "stransport", + "transactionid": "id2", + "url": "url", + "user_agent": "user_agent", + "user_gp": "group", + "user_name": "username", + "vconnid": "fld20", + }, processor_chain([ + setc("eventcategory","1204000000"), + dup2, + date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], + ], + }), + ])); + + var msg182 = msg("Sophos_Firewall", part190); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "Sophos_Firewall": msg182, + "URID": msg38, + "afcd": msg94, + "astarosg_TVM": msg179, + "aua": msg174, + "barnyard": select13, + "confd": msg90, + "confd-sync": msg89, + "exim": select14, + "frox": select9, + "httpd": select18, + "httpproxy": select3, + "ipsec_starter": select10, + "named": select2, + "pluto": select11, + "pop3proxy": msg178, + "reverseproxy": select8, + "smtpd": select15, + "sockd": select17, + "sshd": select16, + "ulogd": msg39, + "xl2tpd": select12, + }), + ]); + + var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sophos/2.2.1/data_stream/utm/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.2.1/data_stream/utm/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0ccb6ce73a --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,84 @@ +--- +description: Pipeline for Sophos UTM (formerly Astaro Security Gateway). + +processors: + - set: + field: ecs.version + value: '8.2.0' + - gsub: + field: destination.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - gsub: + field: source.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.2.1/data_stream/utm/fields/base-fields.yml b/packages/sophos/2.2.1/data_stream/utm/fields/base-fields.yml new file mode 100755 index 0000000000..0c50a77637 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: sophos +- name: event.dataset + type: constant_keyword + description: Event dataset + value: sophos.utm +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/sophos/2.2.1/data_stream/utm/fields/ecs.yml b/packages/sophos/2.2.1/data_stream/utm/fields/ecs.yml new file mode 100755 index 0000000000..a7357fbfbe --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/fields/ecs.yml @@ -0,0 +1,539 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/sophos/2.2.1/data_stream/utm/fields/fields.yml b/packages/sophos/2.2.1/data_stream/utm/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/sophos/2.2.1/data_stream/utm/manifest.yml b/packages/sophos/2.2.1/data_stream/utm/manifest.yml new file mode 100755 index 0000000000..807bd92dda --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/manifest.yml @@ -0,0 +1,204 @@ +title: Sophos UTM logs +release: experimental +type: logs +streams: + - input: udp + title: Sophos UTM logs + description: Collect Sophos UTM logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sophos-utm + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9549 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Sophos UTM logs + description: Collect Sophos UTM logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sophos-utm + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9549 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Sophos UTM logs + description: Collect Sophos UTM logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/sophos-utm.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sophos-utm + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/sophos/2.2.1/data_stream/utm/sample_event.json b/packages/sophos/2.2.1/data_stream/utm/sample_event.json new file mode 100755 index 0000000000..0808f72f59 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/utm/sample_event.json @@ -0,0 +1,73 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "4a4dd5d5-8f82-4911-b531-99290943b6c6", + "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "sophos.utm", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "code": "smtpd", + "dataset": "sophos.utm", + "ingested": "2022-01-25T18:04:29Z", + "timezone": "+00:00" + }, + "host": { + "name": "localhost.localdomain" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.25.0.7:39467" + } + }, + "message": "smtpd: MASTER:QR globally disabled, status one set to disabled.", + "observer": { + "product": "UTM", + "type": "Firewall", + "vendor": "Sophos" + }, + "process": { + "pid": 905 + }, + "related": { + "hosts": [ + "localhost.localdomain" + ] + }, + "rsa": { + "internal": { + "event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", + "messageid": "smtpd" + }, + "network": { + "alias_host": [ + "localhost.localdomain" + ] + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "tags": [ + "sophos-utm", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/sophos/2.2.1/data_stream/xg/agent/stream/log.yml.hbs b/packages/sophos/2.2.1/data_stream/xg/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..177b022013 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/agent/stream/log.yml.hbs @@ -0,0 +1,28 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ +- add_fields: + target: '_conf' + fields: + default: {{default_host_name}} + mappings: +{{#if known_devices}} + {{known_devices}} +{{/if}} diff --git a/packages/sophos/2.2.1/data_stream/xg/agent/stream/tcp.yml.hbs b/packages/sophos/2.2.1/data_stream/xg/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..b901abd778 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/agent/stream/tcp.yml.hbs @@ -0,0 +1,31 @@ +tcp: +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ +- add_fields: + target: '_conf' + fields: + default: {{default_host_name}} + mappings: +{{#if known_devices}} + {{known_devices}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/sophos/2.2.1/data_stream/xg/agent/stream/udp.yml.hbs b/packages/sophos/2.2.1/data_stream/xg/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..426c9fc440 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/agent/stream/udp.yml.hbs @@ -0,0 +1,25 @@ +udp: +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ +- add_fields: + target: '_conf' + fields: + default: {{default_host_name}} + mappings: +{{#if known_devices}} + {{known_devices}} +{{/if}} diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml new file mode 100755 index 0000000000..573c3d7f40 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml @@ -0,0 +1,135 @@ +--- +description: Pipeline for parsing Sophos XG firewall logs (anti-spam pipeline). +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + ignore_empty_value: true +- set: + field: event.kind + value: alert + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' +- append: + field: event.category + value: malware + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' +- append: + field: event.category + value: intrusion_detection + if: "ctx.event?.code == '13012'" +- append: + field: event.category + value: network +- append: + field: event.type + value: + - allowed + - connection + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.event?.code)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' + +#################################### +## ECS Destination Mapping +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" + +############################### +## ECS Source Mapping +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- rename: + field: sophos.xg.src_domainname + target_field: source.domain + ignore_missing: true + +####################### +## ECS Email Mapping ## +####################### +- rename: + field: sophos.xg.from_email_address + target_field: source.user.email + ignore_missing: true +- rename: + field: sophos.xg.to_email_address + target_field: destination.user.email + ignore_missing: true +- append: + field: email.from.address + value: "{{{source.user.email}}}" + if: "ctx?.source?.user?.email != null" +- append: + field: email.to.address + value: "{{{destination.user.email}}}" + if: "ctx?.destination?.user?.email != null" +- set: + field: email.subject + copy_from: sophos.xg.email_subject + if: "ctx?.sophos.xg?.email_subject != null" +- set: + field: email.subject + copy_from: sophos.xg.subject + if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" + +###################### +## ECS Network Mapping +###################### +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true +- lowercase: + field: sophos.xg.log_component + target_field: network.protocol + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.from_email_address + - sophos.xg.to_email_address + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml new file mode 100755 index 0000000000..cbfa5e2829 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml @@ -0,0 +1,222 @@ +--- +description: Pipeline for parsing sophos firewall logs (antivirus pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - malware + - network + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" +- set: + field: event.kind + value: event + if: '["09002"].contains(ctx.event?.code)' +- append: + field: event.type + value: + - allowed + - connection + if: '["09002"].contains(ctx.event?.code)' +- append: + field: event.category + value: network + if: '["09002"].contains(ctx.event?.code)' + +############################# +## ECS Destination Mapping ## +############################# +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- rename: + field: sophos.xg.dstdomain + target_field: destination.domain + ignore_failure: true +- rename: + field: sophos.xg.dst_domainname + target_field: destination.domain + ignore_failure: true + +######################## +## ECS Source Mapping ## +######################## +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.src_domainname + target_field: source.domain + ignore_failure: true + +####################### +## ECS Email Mapping ## +####################### +- rename: + field: sophos.xg.from_email_address + target_field: source.user.email + ignore_missing: true +- rename: + field: sophos.xg.to_email_address + target_field: destination.user.email + ignore_missing: true +- append: + field: email.from.address + value: "{{{source.user.email}}}" + if: "ctx?.source?.user?.email != null" +- append: + field: email.to.address + value: "{{{destination.user.email}}}" + if: "ctx?.destination?.user?.email != null" +- set: + field: email.subject + copy_from: sophos.xg.email_subject + if: "ctx?.sophos.xg?.email_subject != null" +- set: + field: email.subject + copy_from: sophos.xg.subject + if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.original + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- uri_parts: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.original + target_field: url +- set: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.full + copy_from: url.original + ignore_empty_value: true +- rename: + field: sophos.xg.domainname + target_field: url.domain + ignore_failure: true + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.user_agent != null" +- convert: + field: sophos.xg.status_code + target_field: http.response.status_code + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophos.xg.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophos?.xg?.filename != null" +- convert: + field: sophos.xg.file_size + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.file_size != null" +- rename: + field: sophos.xg.file_path + target_field: file.directory + ignore_missing: true + if: "ctx.sophos?.xg?.file_path != null" + +###################### +## ECS Network Mapping +###################### +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true +- lowercase: + field: sophos.xg.log_component + target_field: network.protocol + ignore_missing: true + +############# +## Cleanup ## +############# +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.domainname + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.status_code + - sophos.xg.file_size + - sophos.xg.from_email_address + - sophos.xg.to_email_address + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml new file mode 100755 index 0000000000..47bcb458a6 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml @@ -0,0 +1,120 @@ +--- +description: Pipeline for parsing sophos firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["18009", "18010"].contains(ctx.event?.code)' +- append: + field: event.type + value: + - denied + - connection + if: '["18009", "18010"].contains(ctx.event?.code)' +- rename: + field: sophos.xg.eventid + target_field: event.id + ignore_missing: true + if: "ctx.sophos?.xg?.eventid != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.destinationip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.original + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- uri_parts: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.original + target_field: url +- set: + if: ctx.url?.original != null && ctx.url.original.contains("://") + field: url.full + copy_from: url.original + ignore_empty_value: true + +###################### +## ECS Network Mapping +###################### +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + +############# +## Cleanup ## +############# +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml new file mode 100755 index 0000000000..d8030558aa --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml @@ -0,0 +1,168 @@ +--- +description: Pipeline for parsing sophos firewall logs (Content Filtering pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" +- append: + field: event.type + value: + - allowed + - connection + if: '["Allowed", "Warned"].contains(ctx.sophos?.xg?.log_subtype)' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" + +########################## +## ECS Destination Mapping +########################## +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" + +##################### +## ECS Source Mapping +##################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.original + ignore_missing: true +- uri_parts: + field: url.original + target_field: url + if: "ctx.url?.original != null" +- set: + field: url.full + copy_from: url.original + ignore_empty_value: true +- rename: + field: sophos.xg.domain + target_field: url.domain + ignore_missing: true + if: ctx.url?.domain == null + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophos?.xg?.referer != null" +- convert: + field: sophos.xg.status_code + target_field: http.response.status_code + type: long + ignore_missing: true + if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" +- convert: + field: sophos.xg.http_status + target_field: http.response.status_code + type: long + ignore_missing: true + if: "ctx.sophos?.xg?.http_status != null && ctx.sophos?.xg?.http_status != '' && ctx.sophos?.xg?.http_status != '0'" +- rename: + field: sophos.xg.user_agent + target_field: user_agent.original + ignore_missing: true +- user_agent: + field: user_agent.original + target_field: user_agent + ignore_missing: true + +###################### +## ECS Network Mapping +###################### +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true +- set: + field: network.protocol + copy_from: url.scheme + override: false + ignore_empty_value: true + +############# +## Cleanup ## +############# +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.domain + - sophos.xg.http_status + - sophos.xg.http_user_agent + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..f17e934640 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,568 @@ +--- +description: Pipeline for parsing Sophos XG firewall logs. +processors: +- set: + field: ecs.version + value: '8.2.0' + +- set: + field: event.original + copy_from: message + override: false +- grok: + field: event.original + patterns: + - '^%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:message}$' + - '^%{SYSLOG5424PRI}%{GREEDYDATA:message}$' + - '^%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:message}$' + - '%{GREEDYDATA:message}$' + +# split Sophos-XG fields +- kv: + field: message + field_split: " (?=[a-zA-Z0-9_]+=)" + value_split: "=" + prefix: "sophos.xg." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +- script: + description: Lowercase sophos.xg key name names. + tag: lowercase-sophos-keys + if: ctx.sophos?.xg != null + source: | + def lowercaseMap = [:]; + for(def entry : ctx.sophos.xg.entrySet()){ + lowercaseMap.put(entry.getKey().toLowerCase(), entry.getValue()); + } + ctx.sophos.xg = lowercaseMap; + +# Parse the date +- set: + field: _temp_.time + value: "{{sophos.xg.date}} {{sophos.xg.time}}" + if: ctx.sophos?.xg?.date != null && ctx.sophos?.xg?.time != null +- set: + field: _temp_.time + copy_from: sophos.xg.timestamp + ignore_empty_value: true + if: ctx._temp_?.time == null +- date: + if: ctx._temp_?.time != null && ctx.event?.timezone == null + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 +- date: + if: ctx._temp_?.time != null && ctx.event?.timezone != null + timezone: "{{ event.timezone }}" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx.sophos?.xg?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + description: Remove empty fields. + tag: remove-empty-fields + lang: painless + params: + values: + - "" + - "-" + - "N/A" + source: >- + ctx.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### + +# log_id consists of (example: 010101600001): +# log type: 2 digits +# log component: 2 digits +# log subtype: 2 digits +# severity: 1 digit +# message ID: 5 digits +- gsub: + description: Set event.severity from log_id. + field: sophos.xg.log_id + target_field: event.severity + pattern: '^.{6}(.).*$' + replacement: '$1' + ignore_failure: true +- convert: + field: event.severity + type: long + ignore_missing: true +- gsub: + description: Set event.code from log_id. + field: sophos.xg.log_id + target_field: event.code + pattern: '^.{7}(.{5})$' + replacement: '$1' + ignore_failure: true + +##################### +## ECS Log Mapping ## +##################### +- set: + if: ctx.event?.severity == 0 + field: log.level + value: unknown +- set: + if: ctx.event?.severity == 1 + field: log.level + value: alert +- set: + if: ctx.event?.severity == 2 + field: log.level + value: critical +- set: + if: ctx.event?.severity == 3 + field: log.level + value: error +- set: + if: ctx.event?.severity == 4 + field: log.level + value: warning +- set: + if: ctx.event?.severity == 5 + field: log.level + value: notification +- set: + if: ctx.event?.severity == 6 + field: log.level + value: informational +- set: + if: ctx.event?.severity == 7 + field: log.level + value: debug + +- set: + field: log.level + copy_from: sophos.xg.severity + ignore_empty_value: true + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Sophos +- set: + field: observer.product + value: XG +- set: + field: observer.type + value: firewall +- rename: + field: sophos.xg.device_id + target_field: observer.serial_number + ignore_missing: true +- rename: + field: sophos.xg.device_serial_id + target_field: observer.serial_number + ignore_missing: true +- rename: + field: sophos.xg.out_interface + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: sophos.xg.in_interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: sophos.xg.srczone + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophos.xg.src_zone + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophos.xg.dstzone + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: sophos.xg.dst_zone + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: sophos.xg.srczonetype + target_field: sophos.xg.src_zone_type + ignore_missing: true +- rename: + field: sophos.xg.dstzonetype + target_field: sophos.xg.dst_zone_type + ignore_missing: true + +################### +## Set host.name ## +################### +- script: + lang: painless + if: ctx.observer?.serial_number != null + source: >- + def conf = ctx['_conf']; + if (conf == null) return; + def serial = ctx.observer.serial_number; + def mappings = conf.mappings; + if (mappings == null) return; + def name = conf['default']; + for (def item : mappings) { + if (item.serial_number == serial) { + name = item.hostname; + break; + } + } + if (ctx.host == null) { + ctx.host = new HashMap(); + } + ctx.host.name = name; + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _conf + - sophos.xg.date + - sophos.xg.time + - sophos.xg.timestamp + - sophos.xg.duration + - sophos.xg.timezone + - sophos.xg.dir_disp + - sophos.xg.log_occurrence + - sophos.xg.nat_rule_id + - sophos.xg.in_display_interface + - sophos.xg.out_display_interface + - syslog5424_pri + ignore_missing: true + +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- convert: + field: sophos.xg.bytes_sent + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytes_sent != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- convert: + field: sophos.xg.bytes_received + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytes_received != null" + +############################# +## ECS Source/Destination MAC +############################# +- rename: + field: sophos.xg.src_mac + target_field: source.mac + ignore_failure: true +- uppercase: + field: source.mac + ignore_missing: true +- gsub: + field: source.mac + pattern: '[-:. ]' + replacement: '' + ignore_missing: true +- gsub: + field: source.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + +- rename: + field: sophos.xg.dst_mac + target_field: destination.mac + ignore_failure: true +- uppercase: + field: destination.mac + ignore_missing: true +- gsub: + field: destination.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- gsub: + field: destination.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + +############################### +## Product Specific Pipelines ## +############################### +- pipeline: + name: '{{ IngestPipeline "antispam" }}' + if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" +- pipeline: + name: '{{ IngestPipeline "antivirus" }}' + if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" +- pipeline: + name: '{{ IngestPipeline "atp" }}' + if: "ctx.sophos?.xg?.log_type == 'ATP'" +- pipeline: + name: '{{ IngestPipeline "cfilter" }}' + if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" +- pipeline: + name: '{{ IngestPipeline "event" }}' + if: "ctx.sophos?.xg?.log_type == 'Event'" +- pipeline: + name: '{{ IngestPipeline "firewall" }}' + if: "ctx.sophos?.xg?.log_type == 'Firewall'" +- pipeline: + name: '{{ IngestPipeline "idp" }}' + if: "ctx.sophos?.xg?.log_type == 'IDP'" +- pipeline: + name: '{{ IngestPipeline "sandstorm" }}' + if: "ctx.sophos?.xg?.log_type == 'Sandbox'" +- pipeline: + name: '{{ IngestPipeline "systemhealth" }}' + if: "ctx.sophos?.xg?.log_type == 'System Health'" +- pipeline: + name: '{{ IngestPipeline "waf" }}' + if: "ctx.sophos?.xg?.log_type == 'WAF'" +- pipeline: + name: '{{ IngestPipeline "wifi" }}' + if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" + +################## +# GeoIP Enrichment +################## +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############## +## ECS Network +############## +- lowercase: + field: network.protocol + ignore_failure: true +- set: + description: Rename pops network.protocol to pop3s. + if: ctx.network?.protocol == "pops" + field: network.protocol + value: pop3s +- lowercase: + field: network.transport + ignore_failure: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx.source?.bytes != null && ctx.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx.source?.packets != null && ctx.destination?.packets != null" + ignore_failure: true +- community_id: + ignore_failure: true + +#################### +## ECS Related Hosts +#################### +- append: + if: ctx.host?.name != null + field: related.hosts + value: '{{{host.name}}}' + allow_duplicates: false +- append: + if: ctx.url?.domain != null + field: related.hosts + value: '{{{url.domain}}}' + allow_duplicates: false +- append: + if: ctx.source?.domain != null + field: related.hosts + value: '{{{source.domain}}}' + allow_duplicates: false +- append: + if: ctx.destination?.domain != null + field: related.hosts + value: '{{{destination.domain}}}' + allow_duplicates: false + +################# +## ECS Related IP +################# +- append: + if: ctx.source?.ip != null + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false +- append: + if: ctx.destination?.ip != null + field: related.ip + value: '{{{destination.ip}}}' + allow_duplicates: false +- append: + if: ctx.source?.nat?.ip != null + field: related.ip + value: '{{{source.nat.ip}}}' + allow_duplicates: false +- append: + if: ctx.destination?.nat?.ip != null + field: related.ip + value: '{{{destination.nat.ip}}}' + allow_duplicates: false + +################### +## ECS Related User +################### +- append: + if: ctx.source?.user?.name != null + field: related.user + value: "{{{source.user.name}}}" + allow_duplicates: false + +################### +## ECS Related Hash +################### +- append: + if: ctx.file?.hash?.sha1 != null + field: related.hash + value: "{{{file.hash.sha1}}}" + allow_duplicates: false +- append: + if: ctx.file?.hash?.sha256 != null + field: related.hash + value: "{{{file.hash.sha256}}}" + allow_duplicates: false + +############# +## Cleanup ## +############# +- rename: + field: sophos.xg.reason + target_field: event.reason + ignore_failure: true + +- remove: + field: + - sophos.xg.bytes_received + - sophos.xg.bytes_sent + - sophos.xg.dst_country + - sophos.xg.in_display_interface + - sophos.xg.out_display_interface + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + - sophos.xg.severity + - sophos.xg.src_country + ignore_missing: true +- remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: +- set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/event.yml new file mode 100755 index 0000000000..7442b607b2 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/event.yml @@ -0,0 +1,129 @@ +--- +description: Pipeline for parsing Sophos XG firewall logs (authentication events pipeline). +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Successful"' +- set: + field: event.outcome + value: failure + if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Failed"' +- set: + field: event.outcome + value: success + if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Successful" && ctx.event?.code == "17507"' +- set: + field: event.outcome + value: failure + if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Failed" && ctx.event?.code == "17507"' +- append: + field: event.type + value: + - user + - start + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.event?.code)" +- append: + field: event.type + value: + - user + - end + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.event?.code)" +- append: + field: event.type + value: connection + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" +- append: + field: event.category + value: network + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" +- append: + field: event.category + value: authentication + if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' +- append: + field: event.type + value: info + if: 'ctx.event?.code == "17819"' +- append: + field: event.category + value: + - host + - malware + if: 'ctx.event?.code == "17819"' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- rename: + field: sophos.xg.localinterfaceip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.localinterfaceip != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- rename: + field: sophos.xg.remoteinterfaceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.remoteinterfaceip != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- set: + field: source.user.name + value: '{{sophos.xg.name}}' + if: "ctx.sophos?.xg?.name != null" +- set: + field: user.name + value: '{{source.user.name}}' + ignore_empty_value: true + if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' +- rename: + field: sophos.xg.usergroupname + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.usergroupname != null" + +######################### +## ECS Message Mapping ## +######################### +- rename: + field: sophos.xg.message + target_field: message + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml new file mode 100755 index 0000000000..7e48fade03 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml @@ -0,0 +1,232 @@ +--- +description: Pipeline for parsing sophos firewall logs (firewall pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' +- append: + field: event.category + value: intrusion_detection + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' +- append: + field: event.category + value: network +- append: + field: event.type + value: + - start + - allowed + - connection + if: "['Start', 'Interim'].contains(ctx.sophos?.xg?.connevent)" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.sophos?.xg?.connevent == 'Stop'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophos?.xg?.status == 'Deny'" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- rename: + field: sophos.xg.tran_dst_ip + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.tran_dst_ip != null" +- rename: + field: sophos.xg.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.destinationip !=null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- convert: + field: sophos.xg.tran_dst_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.tran_dst_port != null" +- convert: + field: sophos.xg.recv_pkts + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_pkts !=null" +- convert: + field: sophos.xg.packets_received + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.packets_received !=null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- rename: + field: sophos.xg.tran_src_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.tran_src_ip != null" +- rename: + field: sophos.xg.src_trans_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_trans_ip != null" +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- convert: + field: sophos.xg.tran_src_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.tran_src_port != null" +- rename: + field: sophos.xg.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophos?.xg?.src_mac != null" +- trim: + field: sophos.xg.sent_pkts + ignore_missing: true +- trim: + field: sophos.xg.packets_sent + ignore_missing: true +- convert: + field: sophos.xg.sent_pkts + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_pkts != null" +- convert: + field: sophos.xg.packets_sent + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.packets_sent != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: sophos.xg.policy_type + target_field: rule.ruleset + ignore_missing: true + if: "ctx.sophos?.xg?.policy_type != null" + +###################### +## ECS Network Mapping +###################### +- rename: + field: sophos.xg.application + target_field: network.protocol + ignore_missing: true +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true +- set: + field: network.direction + value: inbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone) && ctx.observer?.ingress?.zone == 'WAN'" +- set: + field: network.direction + value: outbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ctx.observer?.egress?.zone == 'WAN'" +- set: + field: network.direction + value: internal + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone)" +- set: + field: network.direction + value: external + if: "ctx.observer?.ingress?.zone == 'WAN' && ctx.observer?.egress?.zone == 'WAN'" + +############# +## Cleanup ## +############# +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.tran_dst_port + - sophos.xg.recv_pkts + - sophos.xg.src_port + - sophos.xg.tran_src_port + - sophos.xg.sent_pkts + - sophos.xg.packets_received + - sophos.xg.packets_sent + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml new file mode 100755 index 0000000000..c38552b4c6 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml @@ -0,0 +1,115 @@ +--- +description: Pipeline for parsing sophos firewall logs (ipd pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' +- append: + field: event.type + value: + - denied + - connection + if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.signature_id + target_field: rule.id + ignore_missing: true + if: "ctx.sophos?.xg?.signature_id != null" +- rename: + field: sophos.xg.signature_msg + target_field: rule.name + ignore_missing: true + if: "ctx.sophos?.xg?.signature_msg != null" +- rename: + field: sophos.xg.classification + target_field: rule.category + ignore_missing: true + if: "ctx.sophos?.xg?.classification != null" + +###################### +## ECS Network Mapping +###################### +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml new file mode 100755 index 0000000000..df874a5254 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml @@ -0,0 +1,133 @@ +--- +description: Pipeline for parsing sophos firewall logs (sandbox pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" +- append: + field: event.type + value: allowed + if: "['Allowed'].contains(ctx.sophos?.xg?.log_subtype)" +- append: + field: event.type + value: + - start + - connection + if: "['pending'].contains(ctx.sophos?.xg?.reason)" +- append: + field: event.type + value: + - end + - connection + if: "ctx.sophos?.xg?.reason == 'eligible'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" + +- rename: + if: ctx.sophos?.xg?.log_component == "Web" + field: sophos.xg.source + target_field: url.domain + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" + +############################# +## ECS Destination Mapping ## +############################# +- convert: + field: url.domain + target_field: destination.ip + type: ip + ignore_missing: true + on_failure: + - set: + field: destination.domain + copy_from: url.domain + ignore_empty_value: true + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophos.xg.filename + target_field: file.name + ignore_missing: true + if: ctx.sophos?.xg?.filename != null +- convert: + field: sophos.xg.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.filesize != null" +- rename: + field: sophos.xg.filetype + target_field: file.mime_type + ignore_missing: true + if: "ctx.sophos?.xg?.filetype != null" + +# In 18.0 and later the sha1sum contains the sha256 checksum of the file. +- rename: + field: sophos.xg.sha1sum + target_field: file.hash.sha1 + ignore_missing: true + if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 40" +- rename: + field: sophos.xg.sha1sum + target_field: file.hash.sha256 + ignore_missing: true + if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 64" + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.filesize + - sophos.xg.sha1sum + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml new file mode 100755 index 0000000000..7a55e8b6a2 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml @@ -0,0 +1,182 @@ +--- +description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- rename: + field: sophos.xg.idle + target_field: sophos.xg.idle_cpu + ignore_missing: true +- gsub: + field: sophos.xg.idle_cpu + pattern: "%$" + replacement: "" + ignore_missing: true + ignore_failure: true +- convert: + field: sophos.xg.idle_cpu + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.idle_cpu +- rename: + field: sophos.xg.system + target_field: sophos.xg.system_cpu + ignore_missing: true +- gsub: + field: sophos.xg.system_cpu + pattern: "%$" + replacement: "" + ignore_missing: true + ignore_failure: true +- convert: + field: sophos.xg.system_cpu + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.system_cpu +- rename: + field: sophos.xg.user + target_field: sophos.xg.user_cpu + ignore_missing: true +- gsub: + field: sophos.xg.user_cpu + pattern: "%$" + replacement: "" + ignore_missing: true + ignore_failure: true +- convert: + field: sophos.xg.user_cpu + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.user_cpu +- convert: + field: sophos.xg.used + type: integer + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.used +- convert: + field: sophos.xg.total_memory + type: integer + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.total_memory +- convert: + field: sophos.xg.free + type: integer + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.free +- gsub: + field: sophos.xg.configuration + pattern: "%$" + replacement: "" + ignore_missing: true + ignore_failure: true +- convert: + field: sophos.xg.configuration + type: float + ignore_missing: true + on_failure: + - remove: + field: + - sophos.xg.configuration + +- gsub: + field: sophos.xg.reports + pattern: "%$" + replacement: "" + ignore_missing: true + ignore_failure: true +- convert: + field: sophos.xg.reports + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.reports +- gsub: + field: sophos.xg.temp + pattern: "%$" + replacement: "" + ignore_missing: true + ignore_failure: true +- convert: + field: sophos.xg.temp + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.temp +- gsub: + field: sophos.xg.signature + pattern: "%$" + replacement: "" + ignore_missing: true + ignore_failure: true +- convert: + field: sophos.xg.signature + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.signature +- convert: + field: sophos.xg.users + type: integer + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.users +- convert: + field: sophos.xg.transmittedkbits + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.transmittedkbits +- convert: + field: sophos.xg.receivedkbits + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.receivedkbits +- convert: + field: sophos.xg.collisions + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.collisions +- convert: + field: sophos.xg.receiveddrops + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.receiveddrops +- convert: + field: sophos.xg.transmitteddrops + type: float + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.transmitteddrops + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml new file mode 100755 index 0000000000..a59c4334cd --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml @@ -0,0 +1,174 @@ +--- +description: Pipeline for parsing sophos firewall logs (waf pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: allowed + if: 'ctx.sophos?.xg?.reason == "-"' +- set: + field: event.action + value: denied + if: 'ctx.sophos?.xg?.reason != "-"' +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.reason != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.reason != "-"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.reason == "Antivirus"' +- append: + field: event.category + value: + - intrusion_detection + - network + if: "ctx.sophos?.xg?.reason != 'Antivirus' && ctx.sophos?.xg?.reason != '-'" +- append: + field: event.type + value: + - allowed + - connection + if: 'ctx.sophos?.xg?.reason == "-"' +- append: + field: event.type + value: + - denied + - connection + if: 'ctx.sophos?.xg?.reason != "-"' + +- convert: + field: sophos.xg.responsetime + type: long + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.responsetime +- script: + description: Convert microseconds to nanoseconds. + lang: painless + source: | + if (ctx.sophos?.xg?.responsetime != null && ctx.sophos.xg.responsetime > 0) { + ctx.event.duration = ctx.sophos.xg.responsetime * 1000; + } + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.localip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.localip != null" +- convert: + field: sophos.xg.bytessent + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytessent != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- convert: + field: sophos.xg.bytesrcv + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytesrcv != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.full + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- rename: + field: sophos.xg.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophos?.xg?.referer != null" +- convert: + field: sophos.xg.httpstatus + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.httpstatus != null" +- rename: + field: sophos.xg.method + target_field: http.request.method + ignore_missing: true + if: "ctx.sophos?.xg?.method != null" +- rename: + field: sophos.xg.ws_protocol + target_field: http.version + ignore_missing: true + if: "ctx.sophos?.xg?.ws_protocol != null" +- rename: + field: sophos.xg.useragent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.useragent != null" + +############# +## Cleanup ## +############# +- rename: + field: sophos.xg.SQLi + target_field: sophos.xg.sqli + ignore_missing: true +- rename: + field: sophos.xg.XSS + target_field: sophos.xg.xss + ignore_missing: true +- remove: + field: + - sophos.xg.bytesrcv + - sophos.xg.bytessent + - sophos.xg.httpstatus + - sophos.xg.responsetime + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml new file mode 100755 index 0000000000..9dbbeb06c0 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml @@ -0,0 +1,27 @@ +--- +description: Pipeline for parsing Sophos XG firewall logs (wireless protection pipeline). +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success +- convert: + field: sophos.xg.clients_conn_ssid + type: long + ignore_missing: true + on_failure: + - remove: + field: sophos.xg.clients_conn_ssid + +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.1/data_stream/xg/fields/agent.yml b/packages/sophos/2.2.1/data_stream/xg/fields/agent.yml new file mode 100755 index 0000000000..98998ae549 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset +- name: log.source.address + type: keyword + ignore_above: 1024 diff --git a/packages/sophos/2.2.1/data_stream/xg/fields/base-fields.yml b/packages/sophos/2.2.1/data_stream/xg/fields/base-fields.yml new file mode 100755 index 0000000000..a6aa5f75de --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: sophos +- name: event.dataset + type: constant_keyword + description: Event dataset + value: sophos.xg +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/sophos/2.2.1/data_stream/xg/fields/ecs.yml b/packages/sophos/2.2.1/data_stream/xg/fields/ecs.yml new file mode 100755 index 0000000000..c5a5b0bb40 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/fields/ecs.yml @@ -0,0 +1,548 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: User email address. + name: destination.user.email + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + type: keyword +- description: The email address of recipient + name: email.to.address + type: keyword +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + name: event.hash + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + name: file.mime_type + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: User email address. + name: source.user.email + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: user_agent.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: user_agent.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: user_agent.os.platform + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/sophos/2.2.1/data_stream/xg/fields/fields.yml b/packages/sophos/2.2.1/data_stream/xg/fields/fields.yml new file mode 100755 index 0000000000..6dd56deeab --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/fields/fields.yml @@ -0,0 +1,830 @@ +- name: sophos + type: group + fields: + - name: xg + type: group + fields: + - name: action + type: keyword + description: | + Event Action + - name: activityname + type: keyword + description: | + Web policy activity that matched and caused the policy result. + - name: ap + type: keyword + description: | + Access Point Serial ID or LocalWifi0 or LocalWifi1. + - name: app_category + type: keyword + description: | + Name of the category under which application falls + - name: app_filter_policy_id + type: keyword + description: | + Application filter policy ID applied on the traffic + - name: app_is_cloud + type: keyword + description: | + Application is Cloud + - name: app_name + type: keyword + description: | + Application name + - name: app_resolved_by + type: keyword + description: | + Application is resolved by signature or synchronized application + - name: app_risk + type: keyword + description: | + Risk level assigned to the application + - name: app_technology + type: keyword + description: | + Technology of the application + - name: appfilter_policy_id + type: integer + description: | + Application Filter policy applied on the traffic + - name: application + type: keyword + description: | + Application name + - name: application_category + type: keyword + description: | + Application is resolved by signature or synchronized application + - name: application_filter_policy + type: integer + description: | + Application Filter policy applied on the traffic + - name: application_name + type: keyword + description: | + Application name + - name: application_risk + type: keyword + description: | + Risk level assigned to the application + - name: application_technology + type: keyword + description: | + Technology of the application + - name: appresolvedby + type: keyword + description: | + Technology of the application + - name: auth_client + type: keyword + description: | + Auth Client + - name: auth_mechanism + type: keyword + description: | + Auth mechanism + - name: av_policy_name + type: keyword + description: | + Malware scanning policy name which is applied on the traffic + - name: backup_mode + type: keyword + description: | + Backup mode + - name: branch_name + type: keyword + description: | + Branch Name + - name: category + type: keyword + description: | + IPS signature category. + - name: category_type + type: keyword + description: | + Type of category under which website falls + - name: classification + type: keyword + description: | + Signature classification + - name: client_host_name + type: keyword + description: | + Client host name + - name: client_physical_address + type: keyword + description: | + Client physical address + - name: clients_conn_ssid + type: long + description: | + Number of client connected to the SSID. + - name: collisions + type: long + description: | + collisions + - name: con_event + type: keyword + description: | + Event Start/Stop + - name: con_id + type: integer + description: | + Unique identifier of connection + - name: configuration + type: float + description: | + Configuration + - name: conn_id + type: integer + description: | + Unique identifier of connection + - name: connectionname + type: keyword + description: | + Connectionname + - name: connectiontype + type: keyword + description: | + Connectiontype + - name: connevent + type: keyword + description: | + Event on which this log is generated + - name: connid + type: keyword + description: | + Connection ID + - name: content_type + type: keyword + description: | + Type of the content + - name: contenttype + type: keyword + description: | + Type of the content + - name: context_match + type: keyword + description: | + Context Match + - name: context_prefix + type: keyword + description: | + Content Prefix + - name: context_suffix + type: keyword + description: | + Context Suffix + - name: cookie + type: keyword + description: | + cookie + - name: date + type: date + description: | + Date (yyyy-mm-dd) when the event occurred + - name: destinationip + type: ip + description: | + Original destination IP address of traffic + - name: device + type: keyword + description: | + device + - name: device_id + type: keyword + description: | + Serial number of the device + - name: device_model + type: keyword + description: | + Model number of the device + - name: device_name + type: keyword + description: | + Model number of the device + - name: dictionary_name + type: keyword + description: | + Dictionary Name + - name: dir_disp + type: keyword + description: | + TPacket direction. Possible values:“org”, “reply”, “” + - name: direction + type: keyword + description: | + Direction + - name: domainname + type: keyword + description: | + Domain from which virus was downloaded + - name: download_file_name + type: keyword + description: | + Download file name + - name: download_file_type + type: keyword + description: | + Download file type + - name: dst_country_code + type: keyword + description: | + Code of the country to which the destination IP belongs + - name: dst_domainname + type: keyword + description: | + Receiver domain name + - name: dst_ip + type: ip + description: | + Original destination IP address of traffic + - name: dst_port + type: integer + description: | + Original destination port of TCP and UDP traffic + - name: dst_zone_type + type: keyword + description: | + Type of destination zone + - name: dstdomain + type: keyword + description: | + Destination Domain + - name: duration + type: long + description: | + Durability of traffic (seconds) + - name: email_subject + type: keyword + description: | + Email Subject + - name: ep_uuid + type: keyword + description: | + Endpoint UUID + - name: ether_type + type: keyword + description: | + ethernet frame type + - name: eventid + type: keyword + description: | + ATP Evenet ID + - name: eventtime + type: date + description: | + Event time + - name: eventtype + type: keyword + description: | + ATP event type + - name: exceptions + type: keyword + description: | + List of the checks excluded by web exceptions. + - name: execution_path + type: keyword + description: | + ATP execution path + - name: extra + type: keyword + description: | + extra + - name: file_name + type: keyword + description: | + Filename + - name: file_path + type: keyword + description: | + File path + - name: file_size + type: integer + description: | + File Size + - name: filename + type: keyword + description: | + File name associated with the event + - name: filepath + type: keyword + description: | + Path of the file containing virus + - name: filesize + type: integer + description: | + Size of the file that contained virus + - name: free + type: integer + description: | + free + - name: from_email_address + type: keyword + description: | + Sender email address + - name: ftp_direction + type: keyword + description: | + Direction of FTP transfer: Upload or Download + - name: ftp_url + type: keyword + description: | + FTP URL from which virus was downloaded + - name: ftpcommand + type: keyword + description: | + FTP command used when virus was found + - name: fw_rule_id + type: integer + description: | + Firewall Rule ID which is applied on the traffic + - name: fw_rule_type + type: keyword + description: | + Firewall rule type which is applied on the traffic + - name: hb_health + type: keyword + description: | + Heartbeat status + - name: hb_status + type: keyword + description: | + Heartbeat status + - name: host + type: keyword + description: | + Host + - name: http_category + type: keyword + description: | + HTTP Category + - name: http_category_type + type: keyword + description: | + HTTP Category Type + - name: httpresponsecode + type: long + description: | + code of HTTP response + - name: iap + type: keyword + description: | + Internet Access policy ID applied on the traffic + - name: icmp_code + type: keyword + description: | + ICMP code of ICMP traffic + - name: icmp_type + type: keyword + description: | + ICMP type of ICMP traffic + - name: idle_cpu + type: float + description: | + idle ## + - name: idp_policy_id + type: integer + description: | + IPS policy ID which is applied on the traffic + - name: idp_policy_name + type: keyword + description: | + IPS policy name i.e. IPS policy name which is applied on the traffic + - name: in_interface + type: keyword + description: | + Interface for incoming traffic, e.g., Port A + - name: interface + type: keyword + description: | + interface + - name: ipaddress + type: keyword + description: | + Ipaddress + - name: ips_policy_id + type: integer + description: | + IPS policy ID applied on the traffic + - name: lease_time + type: keyword + description: | + Lease Time + - name: localgateway + type: keyword + description: | + Localgateway + - name: localnetwork + type: keyword + description: | + Localnetwork + - name: log_component + type: keyword + description: | + Component responsible for logging e.g. Firewall rule + - name: log_id + type: keyword + description: | + Unique 12 characters code (0101011) + - name: log_subtype + type: keyword + description: | + Sub type of event + - name: log_type + type: keyword + description: | + Type of event e.g. firewall event + - name: log_version + type: keyword + description: | + Log Version + - name: login_user + type: keyword + description: | + ATP login user + - name: mailid + type: keyword + description: | + mailid + - name: mailsize + type: integer + description: | + mailsize + - name: message + type: keyword + description: | + Message + - name: mode + type: keyword + description: | + Mode + - name: nat_rule_id + type: keyword + description: | + NAT Rule ID + - name: newversion + type: keyword + description: | + Newversion + - name: oldversion + type: keyword + description: | + Oldversion + - name: out_interface + type: keyword + description: | + Interface for outgoing traffic, e.g., Port B + - name: override_authorizer + type: keyword + description: | + Override authorizer + - name: override_name + type: keyword + description: | + Override name + - name: override_token + type: keyword + description: | + Override token + - name: phpsessid + type: keyword + description: | + PHP session ID + - name: platform + type: keyword + description: | + Platform of the traffic. + - name: policy_type + type: keyword + description: | + Policy type applied to the traffic + - name: priority + type: keyword + description: | + Severity level of traffic + - name: protocol + type: keyword + description: | + Protocol number of traffic + - name: qualifier + type: keyword + description: | + Qualifier + - name: quarantine + type: keyword + description: | + Path and filename of the file quarantined + - name: quarantine_reason + type: keyword + description: | + Quarantine reason + - name: querystring + type: keyword + description: | + querystring + - name: raw_data + type: keyword + description: | + Raw data + - name: received_pkts + type: long + description: | + Total number of packets received + - name: receiveddrops + type: long + description: | + received drops + - name: receivederrors + type: keyword + description: | + received errors + - name: receivedkbits + type: long + description: | + received kbits + - name: recv_bytes + type: long + description: | + Total number of bytes received + - name: red_id + type: keyword + description: | + RED ID + - name: referer + type: keyword + description: | + Referer + - name: remote_ip + type: ip + description: | + Remote IP + - name: remotenetwork + type: keyword + description: | + remotenetwork + - name: reported_host + type: keyword + description: | + Reported Host + - name: reported_ip + type: keyword + description: | + Reported IP + - name: reports + type: float + description: | + Reports + - name: rule_priority + type: keyword + description: | + Priority of IPS policy + - name: sent_bytes + type: long + description: | + Total number of bytes sent + - name: sent_pkts + type: long + description: | + Total number of packets sent + - name: server + type: keyword + description: | + Server + - name: sessionid + type: keyword + description: | + Sessionid + - name: sha1sum + type: keyword + description: | + SHA1 checksum of the item being analyzed + - name: signature + type: float + description: | + Signature + - name: signature_id + type: keyword + description: | + Signature ID + - name: signature_msg + type: keyword + description: | + Signature messsage + - name: site_category + type: keyword + description: | + Site Category + - name: source + type: keyword + description: | + Source + - name: sourceip + type: ip + description: | + Original source IP address of traffic + - name: spamaction + type: keyword + description: | + Spam Action + - name: sqli + type: keyword + description: | + related SQLI caught by the WAF + - name: src_country_code + type: keyword + description: | + Code of the country to which the source IP belongs + - name: src_domainname + type: keyword + description: | + Sender domain name + - name: src_ip + type: ip + description: | + Original source IP address of traffic + - name: src_mac + type: keyword + description: | + Original source MAC address of traffic + - name: src_port + type: integer + description: | + Original source port of TCP and UDP traffic + - name: src_zone_type + type: keyword + description: |- + Type of source zone + - name: ssid + type: keyword + description: | + Configured SSID name. + - name: start_time + type: date + description: | + Start time + - name: starttime + type: date + description: | + Starttime + - name: status + type: keyword + description: | + Ultimate status of traffic – Allowed or Denied + - name: status_code + type: keyword + description: | + Status code + - name: subject + type: keyword + description: | + Email subject + - name: syslog_server_name + type: keyword + description: | + Syslog server name + - name: syslog_server_name + type: keyword + description: | + Syslog server name. + - name: system_cpu + type: float + description: | + system + - name: target + type: keyword + description: | + Platform of the traffic. + - name: temp + type: float + description: | + Temp + - name: threatname + type: keyword + description: | + ATP threatname + - name: timestamp + type: date + description: | + timestamp + - name: timezone + type: keyword + description: | + Time (hh:mm:ss) when the event occurred + - name: to_email_address + type: keyword + description: | + Receipeint email address + - name: total_memory + type: integer + description: | + Total Memory + - name: trans_dst_ip + type: ip + description: | + Translated destination IP address for outgoing traffic + - name: trans_dst_port + type: integer + description: | + Translated destination port for outgoing traffic + - name: trans_src_ip + type: ip + description: | + Translated source IP address for outgoing traffic + - name: trans_src_port + type: integer + description: | + Translated source port for outgoing traffic + - name: transaction_id + type: keyword + description: | + Transaction ID + - name: transactionid + type: keyword + description: | + Transaction ID of the AV scan. + - name: transmitteddrops + type: long + description: | + transmitted drops + - name: transmittederrors + type: keyword + description: | + transmitted errors + - name: transmittedkbits + type: long + description: | + transmitted kbits + - name: unit + type: keyword + description: | + unit + - name: updatedip + type: ip + description: | + updatedip + - name: upload_file_name + type: keyword + description: | + Upload file name + - name: upload_file_type + type: keyword + description: | + Upload file type + - name: url + type: keyword + description: | + URL from which virus was downloaded + - name: used + type: integer + description: | + used + - name: used_quota + type: keyword + description: | + Used Quota + - name: user + type: keyword + description: | + User + - name: user_cpu + type: float + description: | + system + - name: user_gp + type: keyword + description: | + Group name to which the user belongs. + - name: user_group + type: keyword + description: | + Group name to which the user belongs + - name: user_name + type: keyword + description: | + user_name + - name: users + type: long + description: | + Number of users from System Health / Live User events. + - name: vconn_id + type: integer + description: | + Connection ID of the master connection + - name: virus + type: keyword + description: | + virus name + - name: web_policy_id + type: keyword + description: | + Web policy ID + - name: website + type: keyword + description: | + Website + - name: xss + type: keyword + description: | + related XSS caught by the WAF diff --git a/packages/sophos/2.2.1/data_stream/xg/manifest.yml b/packages/sophos/2.2.1/data_stream/xg/manifest.yml new file mode 100755 index 0000000000..51993f6082 --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/manifest.yml @@ -0,0 +1,240 @@ +type: logs +title: Sophos XG logs +streams: + - input: tcp + vars: + - name: syslog_host + type: text + title: Syslog Host + description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + description: The port to listen on for syslog data. + multi: false + required: true + show_user: true + default: 9005 + - name: default_host_name + type: text + title: Default Host Name + description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. + multi: false + required: true + show_user: true + default: firewall.localgroup.local + - name: known_devices + type: yaml + title: Known Devices + description: | + The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. + multi: false + required: true + show_user: true + default: | + - hostname: my_fancy_host + serial_number: "1234567890123456" + - hostname: some_other_host.local + serial_number: "1234567890123457" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sophos-xg + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + template_path: tcp.yml.hbs + title: Sophos XG logs + description: Collect Sophos XG logs + - input: udp + vars: + - name: syslog_host + type: text + title: Syslog Host + description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + description: The port to listen on for syslog data. + multi: false + required: true + show_user: true + default: 9005 + - name: default_host_name + type: text + title: Default Host Name + description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. + multi: false + required: true + show_user: true + default: firewall.localgroup.local + - name: known_devices + type: yaml + title: Known Devices + description: | + The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. + multi: false + required: true + show_user: true + default: | + - hostname: my_fancy_host + serial_number: "1234567890123456" + - hostname: some_other_host.local + serial_number: "1234567890123457" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sophos-xg + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: Sophos XG logs + description: Collect Sophos XG logs + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: default_host_name + type: text + title: Default Host Name + description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. + multi: false + required: true + show_user: true + default: firewall.localgroup.local + - name: known_devices + type: yaml + title: Known Devices + description: | + The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. + multi: false + required: true + show_user: true + default: | + - hostname: my_fancy_host + serial_number: "1234567890123456" + - hostname: some_other_host.local + serial_number: "1234567890123457" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sophos-xg + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Sophos XG logs + description: Collect Sophos XG logs diff --git a/packages/sophos/2.2.1/data_stream/xg/sample_event.json b/packages/sophos/2.2.1/data_stream/xg/sample_event.json new file mode 100755 index 0000000000..3d6e8025ff --- /dev/null +++ b/packages/sophos/2.2.1/data_stream/xg/sample_event.json @@ -0,0 +1,91 @@ +{ + "@timestamp": "2016-12-02T18:50:20.000Z", + "agent": { + "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.2" + }, + "data_stream": { + "dataset": "sophos.xg", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", + "snapshot": false, + "version": "8.1.2" + }, + "event": { + "action": "alert", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "16010", + "dataset": "sophos.xg", + "ingested": "2022-04-20T20:13:02Z", + "kind": "event", + "outcome": "success", + "severity": 1, + "timezone": "+00:00" + }, + "host": { + "name": "XG230" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "alert", + "source": { + "address": "172.31.0.8:48162" + } + }, + "observer": { + "product": "XG", + "serial_number": "1234567890123456", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "XG230" + ], + "ip": [ + "10.108.108.49" + ] + }, + "sophos": { + "xg": { + "action": "Deny", + "context_match": "Not", + "context_prefix": "blah blah hello ", + "context_suffix": " hello blah ", + "device": "SFW", + "device_name": "SF01V", + "dictionary_name": "complicated_Custom", + "direction": "in", + "file_name": "cgi_echo.pl", + "log_component": "Web Content Policy", + "log_id": "058420116010", + "log_subtype": "Alert", + "log_type": "Content Filtering", + "site_category": "Information Technology", + "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "user": "gi123456", + "website": "ta-web-static-testing.qa. astaro.de" + } + }, + "source": { + "ip": "10.108.108.49" + }, + "tags": [ + "sophos-xg", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/sophos/2.2.1/docs/README.md b/packages/sophos/2.2.1/docs/README.md new file mode 100755 index 0000000000..7d950b445d --- /dev/null +++ b/packages/sophos/2.2.1/docs/README.md @@ -0,0 +1,1331 @@ +# Sophos Integration + +The Sophos integration collects and parses logs from Sophos Products. + +Currently it accepts logs in syslog format or from a file for the following devices: + +- `utm` dataset: supports Astaro Security Gateway logs. +- `xg` dataset: supports Sophos XG SFOS logs. + +To configure a remote syslog destination, please reference the [SophosXG/SFOS Documentation](https://community.sophos.com/kb/en-us/123184). + +The syslog format chosen should be `Default`. + +## Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +## Logs + +### Utm log + +The `utm` dataset collects Astaro Security Gateway logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +### XG log + +This is the Sophos `xg` dataset. Reference information about the log formats +can be found in the [Sophos syslog guide]( +https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf). + +An example event for `xg` looks as following: + +```json +{ + "@timestamp": "2016-12-02T18:50:20.000Z", + "agent": { + "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.2" + }, + "data_stream": { + "dataset": "sophos.xg", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", + "snapshot": false, + "version": "8.1.2" + }, + "event": { + "action": "alert", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "16010", + "dataset": "sophos.xg", + "ingested": "2022-04-20T20:13:02Z", + "kind": "event", + "outcome": "success", + "severity": 1, + "timezone": "+00:00" + }, + "host": { + "name": "XG230" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "alert", + "source": { + "address": "172.31.0.8:48162" + } + }, + "observer": { + "product": "XG", + "serial_number": "1234567890123456", + "type": "firewall", + "vendor": "Sophos" + }, + "related": { + "hosts": [ + "XG230" + ], + "ip": [ + "10.108.108.49" + ] + }, + "sophos": { + "xg": { + "action": "Deny", + "context_match": "Not", + "context_prefix": "blah blah hello ", + "context_suffix": " hello blah ", + "device": "SFW", + "device_name": "SF01V", + "dictionary_name": "complicated_Custom", + "direction": "in", + "file_name": "cgi_echo.pl", + "log_component": "Web Content Policy", + "log_id": "058420116010", + "log_subtype": "Alert", + "log_type": "Content Filtering", + "site_category": "Information Technology", + "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "user": "gi123456", + "website": "ta-web-static-testing.qa. astaro.de" + } + }, + "source": { + "ip": "10.108.108.49" + }, + "tags": [ + "sophos-xg", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.email | User email address. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| log.source.address | | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| sophos.xg.action | Event Action | keyword | +| sophos.xg.activityname | Web policy activity that matched and caused the policy result. | keyword | +| sophos.xg.ap | Access Point Serial ID or LocalWifi0 or LocalWifi1. | keyword | +| sophos.xg.app_category | Name of the category under which application falls | keyword | +| sophos.xg.app_filter_policy_id | Application filter policy ID applied on the traffic | keyword | +| sophos.xg.app_is_cloud | Application is Cloud | keyword | +| sophos.xg.app_name | Application name | keyword | +| sophos.xg.app_resolved_by | Application is resolved by signature or synchronized application | keyword | +| sophos.xg.app_risk | Risk level assigned to the application | keyword | +| sophos.xg.app_technology | Technology of the application | keyword | +| sophos.xg.appfilter_policy_id | Application Filter policy applied on the traffic | integer | +| sophos.xg.application | Application name | keyword | +| sophos.xg.application_category | Application is resolved by signature or synchronized application | keyword | +| sophos.xg.application_filter_policy | Application Filter policy applied on the traffic | integer | +| sophos.xg.application_name | Application name | keyword | +| sophos.xg.application_risk | Risk level assigned to the application | keyword | +| sophos.xg.application_technology | Technology of the application | keyword | +| sophos.xg.appresolvedby | Technology of the application | keyword | +| sophos.xg.auth_client | Auth Client | keyword | +| sophos.xg.auth_mechanism | Auth mechanism | keyword | +| sophos.xg.av_policy_name | Malware scanning policy name which is applied on the traffic | keyword | +| sophos.xg.backup_mode | Backup mode | keyword | +| sophos.xg.branch_name | Branch Name | keyword | +| sophos.xg.category | IPS signature category. | keyword | +| sophos.xg.category_type | Type of category under which website falls | keyword | +| sophos.xg.classification | Signature classification | keyword | +| sophos.xg.client_host_name | Client host name | keyword | +| sophos.xg.client_physical_address | Client physical address | keyword | +| sophos.xg.clients_conn_ssid | Number of client connected to the SSID. | long | +| sophos.xg.collisions | collisions | long | +| sophos.xg.con_event | Event Start/Stop | keyword | +| sophos.xg.con_id | Unique identifier of connection | integer | +| sophos.xg.configuration | Configuration | float | +| sophos.xg.conn_id | Unique identifier of connection | integer | +| sophos.xg.connectionname | Connectionname | keyword | +| sophos.xg.connectiontype | Connectiontype | keyword | +| sophos.xg.connevent | Event on which this log is generated | keyword | +| sophos.xg.connid | Connection ID | keyword | +| sophos.xg.content_type | Type of the content | keyword | +| sophos.xg.contenttype | Type of the content | keyword | +| sophos.xg.context_match | Context Match | keyword | +| sophos.xg.context_prefix | Content Prefix | keyword | +| sophos.xg.context_suffix | Context Suffix | keyword | +| sophos.xg.cookie | cookie | keyword | +| sophos.xg.date | Date (yyyy-mm-dd) when the event occurred | date | +| sophos.xg.destinationip | Original destination IP address of traffic | ip | +| sophos.xg.device | device | keyword | +| sophos.xg.device_id | Serial number of the device | keyword | +| sophos.xg.device_model | Model number of the device | keyword | +| sophos.xg.device_name | Model number of the device | keyword | +| sophos.xg.dictionary_name | Dictionary Name | keyword | +| sophos.xg.dir_disp | TPacket direction. Possible values:“org”, “reply”, “” | keyword | +| sophos.xg.direction | Direction | keyword | +| sophos.xg.domainname | Domain from which virus was downloaded | keyword | +| sophos.xg.download_file_name | Download file name | keyword | +| sophos.xg.download_file_type | Download file type | keyword | +| sophos.xg.dst_country_code | Code of the country to which the destination IP belongs | keyword | +| sophos.xg.dst_domainname | Receiver domain name | keyword | +| sophos.xg.dst_ip | Original destination IP address of traffic | ip | +| sophos.xg.dst_port | Original destination port of TCP and UDP traffic | integer | +| sophos.xg.dst_zone_type | Type of destination zone | keyword | +| sophos.xg.dstdomain | Destination Domain | keyword | +| sophos.xg.duration | Durability of traffic (seconds) | long | +| sophos.xg.email_subject | Email Subject | keyword | +| sophos.xg.ep_uuid | Endpoint UUID | keyword | +| sophos.xg.ether_type | ethernet frame type | keyword | +| sophos.xg.eventid | ATP Evenet ID | keyword | +| sophos.xg.eventtime | Event time | date | +| sophos.xg.eventtype | ATP event type | keyword | +| sophos.xg.exceptions | List of the checks excluded by web exceptions. | keyword | +| sophos.xg.execution_path | ATP execution path | keyword | +| sophos.xg.extra | extra | keyword | +| sophos.xg.file_name | Filename | keyword | +| sophos.xg.file_path | File path | keyword | +| sophos.xg.file_size | File Size | integer | +| sophos.xg.filename | File name associated with the event | keyword | +| sophos.xg.filepath | Path of the file containing virus | keyword | +| sophos.xg.filesize | Size of the file that contained virus | integer | +| sophos.xg.free | free | integer | +| sophos.xg.from_email_address | Sender email address | keyword | +| sophos.xg.ftp_direction | Direction of FTP transfer: Upload or Download | keyword | +| sophos.xg.ftp_url | FTP URL from which virus was downloaded | keyword | +| sophos.xg.ftpcommand | FTP command used when virus was found | keyword | +| sophos.xg.fw_rule_id | Firewall Rule ID which is applied on the traffic | integer | +| sophos.xg.fw_rule_type | Firewall rule type which is applied on the traffic | keyword | +| sophos.xg.hb_health | Heartbeat status | keyword | +| sophos.xg.hb_status | Heartbeat status | keyword | +| sophos.xg.host | Host | keyword | +| sophos.xg.http_category | HTTP Category | keyword | +| sophos.xg.http_category_type | HTTP Category Type | keyword | +| sophos.xg.httpresponsecode | code of HTTP response | long | +| sophos.xg.iap | Internet Access policy ID applied on the traffic | keyword | +| sophos.xg.icmp_code | ICMP code of ICMP traffic | keyword | +| sophos.xg.icmp_type | ICMP type of ICMP traffic | keyword | +| sophos.xg.idle_cpu | idle ## | float | +| sophos.xg.idp_policy_id | IPS policy ID which is applied on the traffic | integer | +| sophos.xg.idp_policy_name | IPS policy name i.e. IPS policy name which is applied on the traffic | keyword | +| sophos.xg.in_interface | Interface for incoming traffic, e.g., Port A | keyword | +| sophos.xg.interface | interface | keyword | +| sophos.xg.ipaddress | Ipaddress | keyword | +| sophos.xg.ips_policy_id | IPS policy ID applied on the traffic | integer | +| sophos.xg.lease_time | Lease Time | keyword | +| sophos.xg.localgateway | Localgateway | keyword | +| sophos.xg.localnetwork | Localnetwork | keyword | +| sophos.xg.log_component | Component responsible for logging e.g. Firewall rule | keyword | +| sophos.xg.log_id | Unique 12 characters code (0101011) | keyword | +| sophos.xg.log_subtype | Sub type of event | keyword | +| sophos.xg.log_type | Type of event e.g. firewall event | keyword | +| sophos.xg.log_version | Log Version | keyword | +| sophos.xg.login_user | ATP login user | keyword | +| sophos.xg.mailid | mailid | keyword | +| sophos.xg.mailsize | mailsize | integer | +| sophos.xg.message | Message | keyword | +| sophos.xg.mode | Mode | keyword | +| sophos.xg.nat_rule_id | NAT Rule ID | keyword | +| sophos.xg.newversion | Newversion | keyword | +| sophos.xg.oldversion | Oldversion | keyword | +| sophos.xg.out_interface | Interface for outgoing traffic, e.g., Port B | keyword | +| sophos.xg.override_authorizer | Override authorizer | keyword | +| sophos.xg.override_name | Override name | keyword | +| sophos.xg.override_token | Override token | keyword | +| sophos.xg.phpsessid | PHP session ID | keyword | +| sophos.xg.platform | Platform of the traffic. | keyword | +| sophos.xg.policy_type | Policy type applied to the traffic | keyword | +| sophos.xg.priority | Severity level of traffic | keyword | +| sophos.xg.protocol | Protocol number of traffic | keyword | +| sophos.xg.qualifier | Qualifier | keyword | +| sophos.xg.quarantine | Path and filename of the file quarantined | keyword | +| sophos.xg.quarantine_reason | Quarantine reason | keyword | +| sophos.xg.querystring | querystring | keyword | +| sophos.xg.raw_data | Raw data | keyword | +| sophos.xg.received_pkts | Total number of packets received | long | +| sophos.xg.receiveddrops | received drops | long | +| sophos.xg.receivederrors | received errors | keyword | +| sophos.xg.receivedkbits | received kbits | long | +| sophos.xg.recv_bytes | Total number of bytes received | long | +| sophos.xg.red_id | RED ID | keyword | +| sophos.xg.referer | Referer | keyword | +| sophos.xg.remote_ip | Remote IP | ip | +| sophos.xg.remotenetwork | remotenetwork | keyword | +| sophos.xg.reported_host | Reported Host | keyword | +| sophos.xg.reported_ip | Reported IP | keyword | +| sophos.xg.reports | Reports | float | +| sophos.xg.rule_priority | Priority of IPS policy | keyword | +| sophos.xg.sent_bytes | Total number of bytes sent | long | +| sophos.xg.sent_pkts | Total number of packets sent | long | +| sophos.xg.server | Server | keyword | +| sophos.xg.sessionid | Sessionid | keyword | +| sophos.xg.sha1sum | SHA1 checksum of the item being analyzed | keyword | +| sophos.xg.signature | Signature | float | +| sophos.xg.signature_id | Signature ID | keyword | +| sophos.xg.signature_msg | Signature messsage | keyword | +| sophos.xg.site_category | Site Category | keyword | +| sophos.xg.source | Source | keyword | +| sophos.xg.sourceip | Original source IP address of traffic | ip | +| sophos.xg.spamaction | Spam Action | keyword | +| sophos.xg.sqli | related SQLI caught by the WAF | keyword | +| sophos.xg.src_country_code | Code of the country to which the source IP belongs | keyword | +| sophos.xg.src_domainname | Sender domain name | keyword | +| sophos.xg.src_ip | Original source IP address of traffic | ip | +| sophos.xg.src_mac | Original source MAC address of traffic | keyword | +| sophos.xg.src_port | Original source port of TCP and UDP traffic | integer | +| sophos.xg.src_zone_type | Type of source zone | keyword | +| sophos.xg.ssid | Configured SSID name. | keyword | +| sophos.xg.start_time | Start time | date | +| sophos.xg.starttime | Starttime | date | +| sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword | +| sophos.xg.status_code | Status code | keyword | +| sophos.xg.subject | Email subject | keyword | +| sophos.xg.syslog_server_name | Syslog server name | keyword | +| sophos.xg.system_cpu | system | float | +| sophos.xg.target | Platform of the traffic. | keyword | +| sophos.xg.temp | Temp | float | +| sophos.xg.threatname | ATP threatname | keyword | +| sophos.xg.timestamp | timestamp | date | +| sophos.xg.timezone | Time (hh:mm:ss) when the event occurred | keyword | +| sophos.xg.to_email_address | Receipeint email address | keyword | +| sophos.xg.total_memory | Total Memory | integer | +| sophos.xg.trans_dst_ip | Translated destination IP address for outgoing traffic | ip | +| sophos.xg.trans_dst_port | Translated destination port for outgoing traffic | integer | +| sophos.xg.trans_src_ip | Translated source IP address for outgoing traffic | ip | +| sophos.xg.trans_src_port | Translated source port for outgoing traffic | integer | +| sophos.xg.transaction_id | Transaction ID | keyword | +| sophos.xg.transactionid | Transaction ID of the AV scan. | keyword | +| sophos.xg.transmitteddrops | transmitted drops | long | +| sophos.xg.transmittederrors | transmitted errors | keyword | +| sophos.xg.transmittedkbits | transmitted kbits | long | +| sophos.xg.unit | unit | keyword | +| sophos.xg.updatedip | updatedip | ip | +| sophos.xg.upload_file_name | Upload file name | keyword | +| sophos.xg.upload_file_type | Upload file type | keyword | +| sophos.xg.url | URL from which virus was downloaded | keyword | +| sophos.xg.used | used | integer | +| sophos.xg.used_quota | Used Quota | keyword | +| sophos.xg.user | User | keyword | +| sophos.xg.user_cpu | system | float | +| sophos.xg.user_gp | Group name to which the user belongs. | keyword | +| sophos.xg.user_group | Group name to which the user belongs | keyword | +| sophos.xg.user_name | user_name | keyword | +| sophos.xg.users | Number of users from System Health / Live User events. | long | +| sophos.xg.vconn_id | Connection ID of the master connection | integer | +| sophos.xg.virus | virus name | keyword | +| sophos.xg.web_policy_id | Web policy ID | keyword | +| sophos.xg.website | Website | keyword | +| sophos.xg.xss | related XSS caught by the WAF | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.email | User email address. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + diff --git a/packages/sophos/2.2.1/img/logo.svg b/packages/sophos/2.2.1/img/logo.svg new file mode 100755 index 0000000000..44612bd861 --- /dev/null +++ b/packages/sophos/2.2.1/img/logo.svg @@ -0,0 +1,39 @@ + +image/svg+xml \ No newline at end of file diff --git a/packages/sophos/2.2.1/img/sophos.svg b/packages/sophos/2.2.1/img/sophos.svg new file mode 100755 index 0000000000..5ebdeaf788 --- /dev/null +++ b/packages/sophos/2.2.1/img/sophos.svg @@ -0,0 +1,69 @@ + + + +image/svg+xml diff --git a/packages/sophos/2.2.1/manifest.yml b/packages/sophos/2.2.1/manifest.yml new file mode 100755 index 0000000000..dfe23ea68a --- /dev/null +++ b/packages/sophos/2.2.1/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: sophos +title: Sophos Logs +version: "2.2.1" +description: Collect and parse logs from Sophos Products with Elastic Agent. +categories: ["security"] +release: ga +license: basic +type: integration +conditions: + kibana.version: "^7.17.0 || ^8.0.0" +policy_templates: + - name: sophos + title: Sophos logs + description: Collect Sophos logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Sophos via UDP + description: Collecting syslog from Sophos via UDP + - type: tcp + title: Collect logs from Sophos via TCP + description: Collecting syslog from Sophos via TCP + - type: logfile + title: Collect logs from Sophos via file + description: Collecting syslog from Sophos via file. +icons: + - src: /img/logo.svg + title: Sophos logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/symantec_endpoint/0.0.4/changelog.yml b/packages/symantec_endpoint/0.0.4/changelog.yml new file mode 100755 index 0000000000..2dcf5f1314 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/changelog.yml @@ -0,0 +1,21 @@ +# newer versions go on top +- version: "0.0.4" + changes: + - description: Make field values conform to ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3330 +- version: "0.0.3" + changes: + - description: Make field values conform to ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3244 +- version: "0.0.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.0.1" + changes: + - description: Initial Release + type: enhancement + link: https://github.com/elastic/integrations/pull/2187 diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/logfile.yml.hbs b/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..f1500f2dbf --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/logfile.yml.hbs @@ -0,0 +1,28 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + remove_mapped_fields: {{remove_mapped_fields}} + +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/tcp.yml.hbs b/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..9ef03795f9 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,25 @@ +host: "{{listen_address}}:{{listen_port}}" +max_message_size: 1 MiB + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + remove_mapped_fields: {{remove_mapped_fields}} + +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/udp.yml.hbs b/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..9ef03795f9 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,25 @@ +host: "{{listen_address}}:{{listen_port}}" +max_message_size: 1 MiB + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + remove_mapped_fields: {{remove_mapped_fields}} + +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/symantec_endpoint/0.0.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..9616d31362 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1109 @@ +--- +description: Pipeline for parsing Symantec Endpoint logs +processors: +- set: + field: event.original + copy_from: message + # Never override event.original (for the reindexing use case). + override: false + +- set: + field: ecs.version + value: '1.12.0' + +- grok: + description: Parse syslog header. + if: ctx.event.original.startsWith('<') + field: event.original + patterns: + - '^<%{NONNEGINT:log.syslog.priority:long}>(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp})(?: %{SYSLOGFACILITY})?(?: %{SYSLOGHOST:log.syslog.hostname})?(?: %{SYSLOGPROG}:)? %{GREEDYDATA:message}' + - '^%{SYSLOG5424LINE}' + pattern_definitions: + SYSLOGPROG: '%{PROG:log.syslog.process.name}(?:\[%{POSINT:log.syslog.process.pid:long}\])?' + SYSLOG5424PRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOG5424BASE: '%{SYSLOG5424PRI}%{NONNEGINT:log.syslog.version:long} +(?:-|%{TIMESTAMP_ISO8601:timestamp}) +(?:-|%{IPORHOST:log.syslog.hostname}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.process.name}) +(?:-|%{POSINT:log.syslog.process.pid:long}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.message_id}) +(?:-|%{SYSLOG5424SD:log.syslog.structured_data})?' + SYSLOG5424LINE: '%{SYSLOG5424BASE} +%{GREEDYDATA:message}' +- grok: + description: Parse date/severity from log file dump format. + if: ctx.event.original.startsWith('20') || ctx.event.original.startsWith('19') + field: event.original + patterns: + - '^%{TIMESTAMP_ISO8601:timestamp},%{LOG_SEVERITY:log.level},%{GREEDYDATA:message}' + pattern_definitions: + LOG_SEVERITY: '(?:%{LOGLEVEL}|[Cc]ritical|CRITICAL|[Mm]ajor|MAJOR|[Mm]inor|MINOR|[Ii]nfo|INFO|[Ww]arning|WARNING|[Ee]rror|ERROR|[Ff]atal|FATAL)' + ignore_failure: true +- date: + if: ctx?.timestamp != null + field: timestamp + target_field: "@timestamp" + formats: + - "MMM dd HH:mm:ss" + - "MMM d HH:mm:ss" + - "MMM d HH:mm:ss" + - ISO8601 + - "YYYY-dd-MM HH:mm:ss" + timezone: '{{{_conf.tz_offset}}}' +- remove: + ignore_missing: true + field: timestamp + +### +# Processing steps: +# 1. Parse the CSV into an array of column values. +# 2. Parse labels from each column if the value takes the form of 'Label Name: Some Value' or 'Label Name:'. +# 3. Fingerprint the message based by joining the labels separated by '|'. Use 'NONE' for columns without an embedded label. +# 4. Set 'event.provider' based on the message fingerprint. The different log types are listed in https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative. +# 5. Handle columns without an embedded label. Based on the fingerprint, map unlabeled columns to a key. +### + +- csv: + field: message + empty_value: "" + target_fields: + - '_csv_array.00' + - '_csv_array.01' + - '_csv_array.02' + - '_csv_array.03' + - '_csv_array.04' + - '_csv_array.05' + - '_csv_array.06' + - '_csv_array.07' + - '_csv_array.08' + - '_csv_array.09' + - '_csv_array.10' + - '_csv_array.11' + - '_csv_array.12' + - '_csv_array.13' + - '_csv_array.14' + - '_csv_array.15' + - '_csv_array.16' + - '_csv_array.17' + - '_csv_array.18' + - '_csv_array.19' + - '_csv_array.20' + - '_csv_array.21' + - '_csv_array.22' + - '_csv_array.23' + - '_csv_array.24' + - '_csv_array.25' + - '_csv_array.26' + - '_csv_array.27' + - '_csv_array.28' + - '_csv_array.29' + - '_csv_array.30' + - '_csv_array.31' + - '_csv_array.32' + - '_csv_array.33' + - '_csv_array.34' + - '_csv_array.35' + - '_csv_array.36' + - '_csv_array.37' + - '_csv_array.38' + - '_csv_array.39' + - '_csv_array.40' + - '_csv_array.41' + - '_csv_array.42' + - '_csv_array.43' + - '_csv_array.44' + - '_csv_array.45' + - '_csv_array.46' + - '_csv_array.47' + - '_csv_array.48' + - '_csv_array.49' + - '_csv_array.50' + +- script: + description: Create array from CSV values. + tag: csv-map-to-array + lang: painless + source: | + def columnArray = []; + def sortedMap = new TreeMap(); + sortedMap.putAll(ctx._csv_array); + sortedMap.forEach((key, value) -> { + def v = value; + if (v.startsWith("'") && v.endsWith("'")) + { + v = v.substring(1, v.length() - 1); + } + columnArray.add(v); + }); + ctx['_csv_array'] = columnArray; + +- script: + description: Split colon separated key/values. + tag: split-colon-separated-key-value + lang: painless + source: | + def aliases = Collections.unmodifiableMap([ + 'computer': 'computer_name', + 'domain': 'domain_name', + 'end_time': 'end', + 'local': 'local_host_ip', + 'local_host': 'local_host_ip', + 'server_name': 'server', + 'user': 'user_name' + ]); + + def keyPattern = /^([a-zA-Z][a-zA-Z0-9 \(\)-]{0,28}):(?:\s(.+)|\s)?/; + def keyValue = [:]; + def fingerprint = []; + ctx._csv_array.forEach(v -> { + def m = keyPattern.matcher(v); + def key = 'NONE'; + if (m.matches()) { + key = m.group(1).toLowerCase().replace(' ', '_'); + key = /[\(\)]+/.matcher(key).replaceAll(''); + + def tmp = aliases[key]; + if (tmp != null) { + key = tmp; + } + + + def value = m.group(2); + if (value != null && !value.trim().isEmpty()) { + keyValue[key] = value.trim(); + } + } + + fingerprint.add(key); + return true; + }); + if (!keyValue.isEmpty()) { + ctx['_csv_map'] = keyValue; + } + ctx['_fingerprint'] = String.join("|", fingerprint); + +- remove: + field: message + ignore_missing: true + +### +# Note to maintainers: +# The fingerprints below can be generated by adding 'debug' to the tags field. +# This causes a new _fingerprint field to be added to the event. +### +- script: + description: Assign keys to unlabeled columns based on fingerprints. + lang: painless + params: + providers: + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Behavior + - name: 'Agent Behavior Log' + fingerprint: NONE|NONE|NONE|NONE|NONE|begin|end|rule|NONE|NONE|NONE|NONE|NONE|user_name|domain_name|action_type|file_size_bytes|device_id + event_category: [intrusion_detection, process] + columns: + - index: 1 + name: local_host_ip + - index: 2 + name: action + - index: 3 + name: event_description + - index: 4 + name: api_name + - index: 8 + name: caller_process_id + - index: 9 + name: caller_process_name + - index: 10 + name: caller_return_address + - index: 11 + name: caller_return_module_name + - index: 12 + name: parameters # name of the module, process, registry location or file + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security + - name: 'Agent Security Log' + fingerprint: + - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|intrusion_id|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 + - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|NONE|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 + event_category: [intrusion_detection, network, process] + event_type: [connection] + columns: + - index: 7 + name: traffic_direction + - index: 8 + name: network_protocol + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic + - name: 'Agent Traffic Log' + fingerprint: NONE|local_host_ip|local_port|local_host_mac|remote_host_ip|remote_host_name|remote_port|remote_host_mac|NONE|NONE|begin|end|occurrences|application|rule|location|user_name|domain_name|action|sha-256|md-5 + event_category: [intrusion_detection, network, process] + event_type: [connection] + columns: + - index: 9 + name: traffic_direction + - index: 8 + name: network_protocol + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Activity + - name: 'Agent Activity Log' + fingerprint: site|server|domain_name|NONE|NONE|NONE|NONE + columns: + - index: 3 + name: event_description + - index: 4 + name: local_host_name + - index: 5 + name: user_name + - index: 6 + name: domain_name + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Packet + - name: 'Agent Packet Log' + fingerprint: + - NONE|local_host_ip|local_port|remote_host_ip|remote_host_name|remote_port|NONE|application|action + event_category: [intrusion_detection, network, process] + event_type: [connection] + columns: + - index: 6 + name: traffic_direction + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System + - name: 'Agent System Log' + fingerprint: + - NONE|category|NONE|NONE|event_time + columns: + - index: 2 + name: event_source + - index: 3 + name: event_description + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Administrative + - name: 'Administrative Log' + fingerprint: site|server|domain_name|admin|NONE + columns: + - index: 4 + name: event_description + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System + - name: 'System Log' + fingerprint: site|server|NONE + columns: + - index: 2 + name: event_description + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection + - name: 'Agent Proactive Detection Log' + fingerprint: NONE|computer_name|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|detection_source|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip + columns: + - index: 0 + name: event_description + - index: 16 + name: submission_recommended + - index: 28 + name: file_path + - index: 29 + name: description + - name: 'Agent Proactive Detection Log' + fingerprint: NONE|computer_name|ip_address|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|risk_type|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number + columns: + - index: 0 + name: event_description + - index: 17 + name: submission_recommended + - index: 29 + name: file_path + - index: 30 + name: description + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy + - name: 'Policy Log' + fingerprint: site|server|domain_name|admin|event_description|NONE + columns: + - index: 5 + name: policy_name + # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan + - name: 'Agent Scan Log' + fingerprint: scan_id|begin|end|NONE|duration_seconds|user1|user2|NONE|scan_complete|command|threats|infected|total_files|omitted|computer_name|ip_address|domain_name|group|server + columns: + - index: 3 + name: action + - index: 7 + name: event_description + # https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Risk + - name: 'Agent Risk Log' + fingerprint: NONE|ip_address|computer_name|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|last_update_time|domain_name|group|server|user_name|source_computer|source_ip|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|first_seen|sensitivity|permitted_application_reason|application_hash|hash_type|company_name|application_name|application_version|application_type|file_size_bytes|category_set|category_type|location|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number + columns: + - index: 0 + name: event_description + - index: 6 + name: file_path + source: | + // Assume first column is always the host.hostname. + def hostname = ctx._csv_array.get(0); + if (/[\.a-zA-Z0-9_-]+/.matcher(hostname).matches()) { + if (ctx?.host == null) { + ctx['host'] = [:]; + } + ctx['host']['hostname'] = hostname; + } + + def provider = null; + for (def p: params.providers) { + if (p.fingerprint == ctx._fingerprint || (p.fingerprint instanceof Collection && p.fingerprint.contains(ctx._fingerprint))) { + provider = p; + break; + } + } + if (provider == null) { return; } + + ctx['event']['provider'] = provider.name; + if (provider?.event_category != null) { + ctx['event']['category'] = new ArrayList(provider.event_category); + } + if (provider?.event_type!= null) { + ctx['event']['type'] = new ArrayList(provider.event_type); + } + for (def c : provider.columns) { + def v = ctx._csv_array.get(c.index).trim(); + if (!v.isEmpty()) { + ctx._csv_map[c.name] = v; + } + } + + +- rename: + field: _csv_map + target_field: symantec_endpoint.log + ignore_missing: true + +### +# BEGIN handling of Symantec Endpoint fields. +### + +# Action +- lowercase: + field: symantec_endpoint.log.action + ignore_missing: true +- set: + field: event.action + copy_from: symantec_endpoint.log.action + ignore_failure: true + +# Actual Action +- set: + if: ctx?.event?.action == null + field: event.action + copy_from: symantec_endpoint.log.actual_action + ignore_failure: true + +# Admin +- set: + field: user.name + copy_from: symantec_endpoint.log.admin + ignore_failure: true + +# Application +- set: + if: ctx?.process?.executable == null + field: process.executable + copy_from: symantec_endpoint.log.application + ignore_failure: true + +# Application Name +- set: + field: file.pe.product + copy_from: symantec_endpoint.log.application_name + ignore_failure: true + +# Application Version +- set: + field: file.pe.file_version + copy_from: symantec_endpoint.log.application_version + ignore_failure: true + +# Begin +- date: + field: symantec_endpoint.log.begin + target_field: event.start + ignore_failure: true + formats: + - yyyy-MM-dd HH:mm:ss + +# Caller MD-5 +- dissect: + tag: caller-md5 + field: symantec_endpoint.log.event_description + pattern: '%{} Caller MD5=%{process.hash.md5}' + ignore_failure: true + +# Caller Process ID +- convert: + field: symantec_endpoint.log.caller_process_id + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - remove: + field: symantec_endpoint.log.caller_process_id + +# Caller Process Name +- set: + if: ctx?.process?.executable == null + field: process.executable + copy_from: symantec_endpoint.log.caller_process_name + ignore_failure: true + +# Certificate Issuer +- append: + if: ctx?.symantec_endpoint?.log?.certificate_issuer != null + field: file.x509.issuer.common_name + value: '{{{symantec_endpoint.log.certificate_issuer}}}' + +# Certificate Serial Number +- set: + field: file.x509.serial_number + copy_from: symantec_endpoint.log.certificate_serial_number + ignore_failure: true + + # Certificate Signer +- append: + if: ctx?.symantec_endpoint?.log?.certificate_signer != null + field: file.x509.issuer.common_name + value: '{{{symantec_endpoint.log.certificate_signer}}}' + +# Certificate Thumbprint (hex encoded sha1 hashes are 40 characters) +- lowercase: + if: ctx?.symantec_endpoint?.log?.certificate_thumbprint != null && ctx.symantec_endpoint.log.certificate_thumbprint.length() == 40 + field: symantec_endpoint.log.certificate_thumbprint + target_field: file.hash.sha1 + +# Company Name +- set: + field: file.pe.company + copy_from: symantec_endpoint.log.company_name + ignore_failure: true + +# Company Name +- set: + field: host.hostname + copy_from: symantec_endpoint.log.computer_name + override: false + ignore_failure: true + +# Domain Name +- set: + if: ctx?.user?.domain == null + field: user.domain + copy_from: symantec_endpoint.log.domain_name + ignore_failure: true + +# Downloaded by +- set: + if: ctx?.process?.executable == null + field: process.executable + copy_from: symantec_endpoint.log.downloaded_by + ignore_failure: true + +# Download site +- uri_parts: + field: symantec_endpoint.log.download_site + ignore_failure: true + +# Duration (seconds) +- convert: + field: symantec_endpoint.log.duration_seconds + target_field: event.duration + type: long + ignore_missing: true + ignore_failure: true +- script: + description: Convert event.duration from seconds to nanoseconds. + if: ctx?.event?.duration != null + lang: painless + source: + ctx.event['duration'] = ctx.event.duration * 1e9; + +# End +- date: + field: symantec_endpoint.log.end + target_field: event.end + ignore_failure: true + formats: + - yyyy-MM-dd HH:mm:ss + +# Event Description +- set: + field: message + copy_from: symantec_endpoint.log.event_description + ignore_failure: true + +# Event Time +- date: + if: ctx?.symantec_endpoint?.log?.event_time != null + field: symantec_endpoint.log.event_time + target_field: symantec_endpoint.log.event_time + ignore_failure: true + formats: + - yyyy-MM-dd HH:mm:ss + on_failure: + - remove: + field: symantec_endpoint.log.event_time +- set: + if: ctx?.symantec_endpoint?.log?.event_time != null + field: '@timestamp' + copy_from: symantec_endpoint.log.event_time + +# File Path +- set: + field: file.path + copy_from: symantec_endpoint.log.file_path + ignore_failure: true + +# File Size (bytes) +- convert: + field: symantec_endpoint.log.file_size_bytes + target_field: file.size + type: long + ignore_missing: true + ignore_failure: true + +# Infected +- convert: + field: symantec_endpoint.log.infected + type: long + ignore_missing: true + on_failure: + - remove: + field: symantec_endpoint.log.infected + +# Inserted +- date: + if: ctx?.symantec_endpoint?.log?.inserted != null + field: symantec_endpoint.log.inserted + target_field: symantec_endpoint.log.inserted + ignore_failure: true + formats: + - yyyy-MM-dd HH:mm:ss + on_failure: + - remove: + field: symantec_endpoint.log.inserted + +# Intrusion ID +- set: + field: rule.id + copy_from: symantec_endpoint.log.intrusion_id + ignore_failure: true + +# Intrusion Payload URL + +# Intrusion URL +- set: + field: url.original + copy_from: symantec_endpoint.log.intrusion_url + ignore_failure: true + +# IP Address +- append: + if: ctx?.symantec_endpoint.log?.ip_address != null + field: host.ip + value: '{{{symantec_endpoint.log.ip_address}}}' + allow_duplicates: false + +# Last Update Time (listed as always being in GMT) +- date: + if: ctx?.symantec_endpoint?.log?.last_update_time != null + field: symantec_endpoint.log.last_update_time + target_field: symantec_endpoint.log.last_update_time + formats: + - yyyy-MM-dd HH:mm:ss + on_failure: + - remove: + field: symantec_endpoint.log.last_update_time + +# Local Host IP +- set: + if: ctx?.symantec_endpoint?.log?.local_host_ip != null && ctx.symantec_endpoint.log.local_host_ip != "0.0.0.0" + field: source.address + copy_from: symantec_endpoint.log.local_host_ip + +# Local Host MAC +- set: + field: source.mac + copy_from: symantec_endpoint.log.local_host_mac + ignore_failure: true +- gsub: + field: source.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- remove: + if: ctx?.source?.mac == '000000000000' + field: source.mac +- gsub: + field: source.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: source.mac + ignore_missing: true + +# Local Host Name +- set: + if: ctx?.symantec_endpoint?.log?.local_host_name != "" + field: source.domain + copy_from: symantec_endpoint.log.local_host_name + ignore_failure: true + +# Local Port +- convert: + if: ctx?.symantec_endpoint?.log?.local_port != "0" + field: symantec_endpoint.log.local_port + target_field: source.port + type: long + ignore_failure: true + +# Location +- set: + field: source.geo.name + copy_from: symantec_endpoint.log.location + ignore_failure: true + +# MD-5 +- set: + field: process.hash.md5 + copy_from: symantec_endpoint.log.md-5 + ignore_failure: true +- lowercase: + field: process.hash.md5 + ignore_missing: true + +# Network Protocol (known as ECS network transport) +- set: + field: network.transport + copy_from: symantec_endpoint.log.network_protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_missing: true + +# Occurrences +- convert: + field: symantec_endpoint.log.occurrences + target_field: event.count + type: long + ignore_failure: true + +# Omitted +- convert: + field: symantec_endpoint.log.omitted + type: long + ignore_missing: true + on_failure: + - remove: + field: symantec_endpoint.log.omitted + +# Remote Host IP +- set: + if: ctx?.symantec_endpoint?.log?.remote_host_ip != null && ctx.symantec_endpoint.log.remote_host_ip != "0.0.0.0" + field: destination.address + copy_from: symantec_endpoint.log.remote_host_ip + +# Remote Host MAC +- set: + field: destination.mac + copy_from: symantec_endpoint.log.remote_host_mac + ignore_failure: true +- gsub: + field: destination.mac + pattern: '[-:.]' + replacement: '' + ignore_missing: true +- remove: + if: ctx?.destination?.mac == '000000000000' + field: destination.mac +- gsub: + field: destination.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true +- uppercase: + field: destination.mac + ignore_missing: true + +# Remote Host Name +- set: + if: ctx?.symantec_endpoint?.log?.remote_host_name != "" + field: destination.domain + copy_from: symantec_endpoint.log.remote_host_name + ignore_failure: true + +# Remote Port +- convert: + if: ctx?.symantec_endpoint?.log?.remote_port != "0" + field: symantec_endpoint.log.remote_port + target_field: destination.port + type: long + ignore_failure: true + +# Rule +- set: + field: rule.name + copy_from: symantec_endpoint.log.rule + ignore_failure: true + +# Sensitivity +- convert: + field: symantec_endpoint.log.sensitivity + type: long + ignore_missing: true + on_failure: + - remove: + field: symantec_endpoint.log.sensitivity + +# SHA-256 +- set: + field: process.hash.sha256 + copy_from: symantec_endpoint.log.sha-256 + ignore_failure: true +- lowercase: + field: process.hash.sha256 + ignore_missing: true + +# Signing Timestamp (Agent Risk Log) +- date: + if: ctx?.symantec_endpoint?.log?.signing_timestamp != null + field: symantec_endpoint.log.signing_timestamp + target_field: symantec_endpoint.log.signing_timestamp + formats: + - UNIX + on_failure: + - remove: + field: symantec_endpoint.log.signing_timestamp +- set: + field: file.x509.not_before + copy_from: symantec_endpoint.log.signing_timestamp + ignore_failure: true + +# Source Computer +- set: + field: source.domain + copy_from: symantec_endpoint.log.source_computer + ignore_failure: true + +# Source IP +- set: + field: source.address + copy_from: symantec_endpoint.log.source_ip + ignore_failure: true + +# Submission Recommended (Recommendation in the form of YES or NO on whether to submit this detection to Symantec or not.) +- set: + if: ctx?.symantec_endpoint?.log?.submission_recommended != null && ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') + field: symantec_endpoint.log.submission_recommended + value: true +- set: + if: ctx?.symantec_endpoint?.log?.submission_recommended != null && !ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') + field: symantec_endpoint.log.submission_recommended + value: false + +# Traffic Direction +# NOTE: inbound/outbound is changed to ingress/egress because this is a host +# based EDR and ECS guidelines say to use ingress/egress for hosts. +- set: + field: network.direction + copy_from: symantec_endpoint.log.traffic_direction + ignore_failure: true +- lowercase: + field: network.direction + ignore_missing: true +- set: + if: ctx?.network?.direction == "inbound" + field: network.direction + value: ingress +- set: + if: ctx?.network?.direction == "outbound" + field: network.direction + value: egress + +# Threats +- convert: + field: symantec_endpoint.log.threats + type: long + ignore_missing: true + on_failure: + - remove: + field: symantec_endpoint.log.threats + +# Total files +- convert: + field: symantec_endpoint.log.total_files + type: long + ignore_missing: true + on_failure: + - remove: + field: symantec_endpoint.log.total_files + +# User Name +- set: + field: user.name + copy_from: symantec_endpoint.log.user_name + ignore_failure: true + +# User1 +- set: + if: ctx?.symantec_endpoint?.log?.user1 != null && ctx?.user?.name == null + field: user.name + copy_from: symantec_endpoint.log.user1 + +### +# END handling of Symantec Endpoint fields. +### + +- remove: + if: ctx?._conf?.remove_mapped_fields == true + description: Remove symantec_endpoint.log fields that are mapped in some way to ECS. + ignore_missing: true + field: + - symantec_endpoint.log.action + - symantec_endpoint.log.actual_action + - symantec_endpoint.log.admin + - symantec_endpoint.log.application + - symantec_endpoint.log.application_name + - symantec_endpoint.log.application_version + - symantec_endpoint.log.begin + - symantec_endpoint.log.caller_process_id + - symantec_endpoint.log.caller_process_name + - symantec_endpoint.log.certificate_serial_number + - symantec_endpoint.log.certificate_thumbprint + - symantec_endpoint.log.company_name + - symantec_endpoint.log.domain_name + - symantec_endpoint.log.download_site + - symantec_endpoint.log.downloaded_by + - symantec_endpoint.log.duration_seconds + - symantec_endpoint.log.end + - symantec_endpoint.log.event_description + - symantec_endpoint.log.event_time + - symantec_endpoint.log.file_path + - symantec_endpoint.log.file_size_bytes + - symantec_endpoint.log.inserted + - symantec_endpoint.log.intrusion_id + - symantec_endpoint.log.intrusion_url + - symantec_endpoint.log.last_update_time + - symantec_endpoint.log.local_host_ip + - symantec_endpoint.log.local_host_mac + - symantec_endpoint.log.local_host_name + - symantec_endpoint.log.local_port + - symantec_endpoint.log.location + - symantec_endpoint.log.md-5 + - symantec_endpoint.log.network_protocol + - symantec_endpoint.log.occurrences + - symantec_endpoint.log.remote_host_ip + - symantec_endpoint.log.remote_host_mac + - symantec_endpoint.log.remote_host_name + - symantec_endpoint.log.remote_port + - symantec_endpoint.log.rule + - symantec_endpoint.log.sha-256 + - symantec_endpoint.log.signing_timestamp + - symantec_endpoint.log.source_computer + - symantec_endpoint.log.source_ip + - symantec_endpoint.log.submission_recommended + - symantec_endpoint.log.traffic_direction + - symantec_endpoint.log.user1 + - symantec_endpoint.log.user_name + +- remove: + description: Remove empty symantec_endpoint.log object. + if: ctx?.symantec_endpoint?.log != null && ctx.symantec_endpoint.log.isEmpty() + field: symantec_endpoint + ignore_missing: true + +# ECS Categorization +- set: + field: event.kind + value: event +- append: + description: Set event.type to allowed when activity is blocked. + if: ctx?.event?.action == 'blocked' || (ctx?.message != null && !ctx.message.contains('not blocked') && ctx.message.contains('blocked')) + field: event.type + value: denied + allow_duplicates: false +- append: + description: Set event.type to allowed when activity is not blocked. + if: ctx?.event?.action == 'not blocked' || (ctx?.message != null && ctx.message.contains('not blocked')) + field: event.type + value: allowed + allow_duplicates: false +- append: + if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') + field: event.category + value: authentication +- append: + if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') + field: event.type + value: info +- set: + if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on failed') + field: event.outcome + value: failure +- set: + if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on succeeded') + field: event.outcome + value: success + +# Destination IP +- convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_missing: true + ignore_failure: true + +# Source IP +- convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + ignore_failure: true + +# Network Type +- set: + if: ctx?.source?.ip != null && !ctx.source.ip.contains(':') + field: network.type + value: ipv4 +- set: + if: ctx?.source?.ip != null && ctx.source.ip.contains(':') + field: network.type + value: ipv6 + +# Host IP +- append: + if: ctx?.source?.ip != null + field: host.ip + value: '{{{source.ip}}}' + allow_duplicates: false + +# Host MAC +- append: + if: ctx?.source?.mac != null + field: host.mac + value: '{{{source.mac}}}' + allow_duplicates: false + +# Host Hostname +- set: + field: host.hostname + copy_from: source.domain + override: false + ignore_failure: true + +# Host Name +- set: + field: host.name + copy_from: host.hostname + override: false + ignore_failure: true + +# Related IP +- append: + if: ctx?.source?.ip != null + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false +- append: + if: ctx?.destination?.ip != null + field: related.ip + value: '{{{destination.ip}}}' + allow_duplicates: false + +# Related Hash +- append: + if: ctx?.file?.hash?.sha1 != null + field: related.hash + value: '{{{file.hash.sha1}}}' + allow_duplicates: true +- append: + if: ctx?.process?.hash?.md5 != null + field: related.hash + value: '{{{process.hash.md5}}}' + allow_duplicates: true +- append: + if: ctx?.process?.hash?.sha256 != null + field: related.hash + value: '{{{process.hash.sha256}}}' + allow_duplicates: true + +# Community ID +- community_id: + ignore_failure: true + +# IP Geolocation Lookup +- geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +- script: + # Local was assumed to be source and remote was assumed to be destination. + # But if direction is ingress then swap the two around. + description: Swap source/destination for "ingress". + tag: swap-source-destination-on-ingress + if: ctx?.network?.direction == "ingress" && ctx?.source != null && ctx?.destination != null + lang: painless + source: | + def tmp = ctx.source; + ctx.source = ctx.destination; + ctx.destination = tmp; + +- remove: + description: Retain event.original when preserve_original_event tag exists. + if: ctx?.tags == null || !ctx.tags.contains('preserve_original_event') + field: event.original + ignore_missing: true + +- remove: + if: ctx?.tags == null || !ctx.tags.contains('debug') + ignore_missing: true + field: + - _conf + - _csv_array + - _fingerprint + +on_failure: +- set: + field: error.message + value: 'processor {{ _ingest.on_failure_processor_type }}: {{ _ingest.on_failure_message }}' + +- remove: + if: ctx?.tags == null || !ctx.tags.contains('debug') + ignore_missing: true + field: + - _conf + - _csv_array + - _csv_map + - _fingerprint diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..c2cceee2d3 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/agent.yml @@ -0,0 +1,210 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/fields/base-fields.yml b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..d5fd358e28 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/base-fields.yml @@ -0,0 +1,32 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: symantec_endpoint +- name: event.dataset + type: constant_keyword + description: Event dataset + value: symantec_endpoint.log +- name: "@timestamp" + type: date + description: Event timestamp. +- name: observer.vendor + type: constant_keyword + description: Vendor name of the observer. + value: Symantec +- name: observer.product + type: constant_keyword + description: The product name of the observer. + value: Endpoint Protection +- name: observer.type + type: constant_keyword + description: The type of the observer the data is coming from. + value: edr diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/fields/ecs.yml b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..852bacf52f --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/ecs.yml @@ -0,0 +1,321 @@ +- description: Unique container id. + name: container.id + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Destination domain. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Name of the dataset. + If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + name: event.dataset + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Name of the module this data is coming from. + If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. + name: event.module + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: file.pe.company + type: keyword +- description: Internal version of the file, provided at compile-time. + name: file.pe.file_version + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: file.pe.product + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: List of common name (CN) of issuing certificate authority. + name: file.x509.issuer.common_name + type: keyword +- description: Time at which the certificate is first considered valid. + name: file.x509.not_before + type: date +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: file.x509.serial_number + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + name: network.type + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Source domain. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/fields/fields.yml b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..2c2cef565a --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/fields/fields.yml @@ -0,0 +1,333 @@ +- name: symantec_endpoint.log + type: group + fields: + - name: action + type: keyword + description: > + The action taken on the traffic, e.g. "Blocked". + + - name: actual_action + type: keyword + description: Actual action from risk logs and proactive detection (SONAR) logs. + - name: admin + type: keyword + description: Name of the SEPM admin. + - name: api_name + type: keyword + description: API name that was blocked (agent behavior log). + - name: application + type: keyword + description: The full path name of the application involved. + - name: application_hash + type: keyword + description: The hash for this application. + - name: application_name + type: keyword + description: The application name. + - name: application_type + type: keyword + description: Application type (Trojan, key logger etc). + - name: application_version + type: keyword + description: The application version. + - name: begin + type: keyword + description: Start time of the event (also see event.start). + - name: caller_process_id + type: keyword + description: The ID of the process that triggers the logging. + - name: caller_process_name + type: keyword + description: > + The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". + + - name: caller_return_address + type: keyword + description: > + The return address of the caller. This field allows the detection of the calling module that makes the API call. + + This is historically not used. You can expect Return Address to always be 0. + + - name: caller_return_module_name + description: > + The module name of the caller. See CallerReturnAddress for more information. + + Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. + + type: keyword + - name: category + type: keyword + description: Agent system log category (generally not populated by SEPM). + - name: category_set + type: keyword + description: Agent risk log category. + - name: category_type + type: keyword + description: Agent risk log category type. + - name: certificate_issuer + type: keyword + description: The certificate's issuer. + - name: certificate_serial_number + type: keyword + description: The certificate's serial number. + - name: certificate_signer + type: keyword + description: The certificate's signer. + - name: certificate_thumbprint + type: keyword + description: The certificate's thumbprint. + - name: cids_signature_id + type: keyword + description: The signature ID. + - name: cids_signature_string + type: keyword + description: The signature name. + - name: cids_signature_subid + type: keyword + description: The signature sub ID. + - name: coh_engine_version + type: keyword + description: TruScan engine version. + - name: command + type: keyword + description: Command sent from the SEPM. + - name: company_name + type: keyword + description: The company name from the application (used in agent risk logs). + - name: computer_name + type: keyword + description: Name of the host machine (used in agent risk/scan logs). + - name: confidence + type: keyword + description: > + The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." + + - name: description + type: keyword + description: Description of the virus file. + - name: detection_score + type: keyword + description: Score of detection. + - name: detection_source + type: keyword + description: Source of the detection. + - name: detection_type + type: keyword + description: Type of detection (e.g. heuristic). + - name: device_id + type: keyword + description: The GUID of an external device (floppy disk, DVD, USB device, etc.). + - name: disposition + type: keyword + description: Good / Bad / Unknown / Not available. + - name: domain_name + type: keyword + description: SEPM domain name. + - name: download_site + type: keyword + description: The URL determined from where the image was downloaded. + - name: downloaded_by + type: keyword + description: The creator process of the dropper threat. + - name: duration_seconds + type: keyword + description: The length of the scan, in seconds. + - name: end + type: keyword + description: Start time of the event (also see event.end). + - name: event_description + type: keyword + description: Description of the event. Usually, the first line of the description is treated as the summary. + - name: event_source + type: keyword + description: The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. + - name: event_time + type: date + description: Time of event occurrence. + - name: file_path + type: keyword + description: The file path of the attacked file. + - name: file_size_bytes + type: keyword + description: File size of application. + - name: first_seen + type: keyword + description: The first seen date for the convicted application. + - name: group + type: keyword + description: SEPM client group name. + - name: hash_type + type: keyword + description: Application hash type (MD5, SHA1, SHA256 etc). + - name: infected + type: long + description: The number of files that the scan found that were infected. + - name: inserted + type: date + description: The time that the event was inserted into the database. + - name: intensive_protection_level + type: keyword + description: The High Intensity Detection Level. + - name: intrusion_id + type: keyword + description: Intrusion ID. + - name: intrusion_payload_url + type: keyword + description: The URL that hosted the payload. + - name: intrusion_url + type: keyword + description: The URL from the detection. + - name: ip_address + type: keyword + description: IP Address of the machine. + - name: last_update_time + type: date + description: The time on the server when the event is logged into the system or updated in the system (GMT). + - name: local_host + type: keyword + description: The host name of the client computer. + - name: local_host_ip + type: keyword + description: The IP address of the local computer. + - name: local_host_mac + type: keyword + description: The MAC address of the local computer. + - name: local_host_name + type: keyword + description: The host name of the client computer. + - name: local_port + type: keyword + description: The TCP/UDP port of the local computer. + - name: location + type: keyword + description: The location used when the event occurred. + - name: md-5 + type: keyword + description: The MD5 hash value. + - name: network_protocol + type: keyword + description: Localized string for Others/ TCP/ UDP/ ICMP. + - name: occurrences + type: keyword + description: The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. + - name: omitted + type: long + description: The number of files that were omitted. + - name: parameters + type: keyword + description: > + Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. + + As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. + + - name: permitted_application_reason + type: keyword + description: Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). + - name: policy_name + type: keyword + description: Name of the policy. + - name: prevalence + type: keyword + description: Number of users that have seen this. + - name: remote_host_ip + type: keyword + description: The IP address of the remote computer. + - name: remote_host_mac + type: keyword + description: The MAC address of the remote computer. + - name: remote_port + type: keyword + description: The TCP/UDP port of the remote computer. + - name: requested_action + type: keyword + description: Requested action by policy. + - name: risk_level + type: keyword + description: The risk level (high, med, low) for the convicted threat. + - name: risk_name + type: keyword + - name: risk_type + type: keyword + description: Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. + - name: rule + type: keyword + description: > + The name of the rule that was triggered by the event. + + If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. + + - name: scan_complete + type: keyword + description: Scan message when scan ended. + - name: scan_id + type: keyword + description: The scan ID provided by the agent. + - name: secondary_action + type: keyword + description: Secondary action requested by policy + - name: sensitivity + type: long + description: Engine sensitivity that produced this detection + - name: server + type: keyword + description: Name of the server. + - name: server_name + type: keyword + description: Name of the server. + - name: sha-256 + type: keyword + description: The SHA-256 hash value. + - name: signing_timestamp + type: date + description: The certificate's signature timestamp. + - name: site + type: keyword + description: SEPM site name. + - name: source + type: keyword + description: Scan source (e.g. scheduled). + - name: source_computer + type: keyword + description: Computer name where this event occurred. + - name: source_ip + type: keyword + description: IP address of the machine on which the event occurred. + - name: submission_recommended + type: boolean + description: Recommendation on whether to submit this detection to Symantec. + - name: threats + type: long + description: The number of threats that the scan found. + - name: total_files + type: long + description: The number of files scanned. + - name: traffic_direction + type: keyword + description: Unknown / Inbound / Outbound + - name: url_tracking_status + type: keyword + description: Network intrusion prevention status + - name: user1 + type: keyword + description: User when scan started. + - name: user2 + type: keyword + description: User when scan ended. + - name: user_name + type: keyword + - name: web_domain + type: keyword + description: The web domain. +- name: log.syslog.hostname + type: keyword + description: Hostname parsed from syslog header. +- name: log.syslog.process.name + type: keyword +- name: log.syslog.process.pid + type: long +- name: log.syslog.priority + type: long +- name: log.syslog.version + type: long +- name: log.syslog.structured_data + type: flattened diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/manifest.yml b/packages/symantec_endpoint/0.0.4/data_stream/log/manifest.yml new file mode 100755 index 0000000000..e24087b13b --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/manifest.yml @@ -0,0 +1,190 @@ +title: Symantec Endpoint Protection (SEP) Logs +type: logs +release: beta +streams: + - input: udp + template_path: udp.yml.hbs + title: SEP logs (syslog over UDP) + description: Collect Symantec Endpoint Protection (SEP) logs over UDP. + enabled: true + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9008 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - symantec-endpoint-log + - forwarded + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: remove_mapped_fields + required: true + show_user: false + title: Remove fields mapped to ECS + description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. + type: bool + multi: false + default: false + - input: tcp + template_path: tcp.yml.hbs + title: SEP logs (syslog over TCP) + description: Collect Symantec Endpoint Protection (SEP) logs over TCP. + enabled: false + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9008 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: ssl + type: yaml + title: TLS + description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + multi: false + required: false + show_user: false + default: | + enabled: false + certificate: "/etc/pki/client/cert.pem" + key: "/etc/pki/client/cert.key" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - symantec-endpoint-log + - forwarded + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: remove_mapped_fields + required: true + show_user: false + title: Remove fields mapped to ECS + description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. + type: bool + multi: false + default: false + - input: logfile + template_path: logfile.yml.hbs + title: SEP logs (from file) + description: Collect Symantec Endpoint Protection (SEP) logs from a file. + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: false + show_user: true + default: + - 'C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log' + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - symantec-endpoint-log + - forwarded + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: remove_mapped_fields + required: true + show_user: false + title: Remove fields mapped to ECS + description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. + type: bool + multi: false + default: false diff --git a/packages/symantec_endpoint/0.0.4/data_stream/log/sample_event.json b/packages/symantec_endpoint/0.0.4/data_stream/log/sample_event.json new file mode 100755 index 0000000000..080bd684ef --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/data_stream/log/sample_event.json @@ -0,0 +1,117 @@ +{ + "process": { + "executable": "C:/WINDOWS/system32/NTOSKRNL.EXE", + "hash": { + "sha256": "5379732000000000000000000000000000000000000000000000000000000000", + "md5": "53797320000000000000000000000000" + } + }, + "log": { + "syslog": { + "process": { + "name": "myproc", + "pid": 8710 + }, + "hostname": "192.0.2.1", + "priority": 165, + "version": 1 + } + }, + "destination": { + "geo": { + "name": "Default" + }, + "address": "192.168.1.113", + "port": 80, + "mac": "CC-F9-E4-A9-12-26", + "ip": "192.168.1.113" + }, + "rule": { + "name": "Block Unapproved Incoming Ports" + }, + "source": { + "address": "192.168.1.1", + "port": 33424, + "mac": "2C-3A-FD-A7-9E-71", + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "network": { + "community_id": "1:TbyoH4bYJO0/cP/YShIpq9J+Z3s=", + "transport": "tcp", + "type": "ipv4", + "direction": "ingress" + }, + "@timestamp": "2021-11-16T12:14:15.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hash": [ + "53797320000000000000000000000000", + "5379732000000000000000000000000000000000000000000000000000000000" + ], + "ip": [ + "192.168.1.113", + "192.168.1.1" + ] + }, + "host": { + "name": "host-rfc5424", + "hostname": "host-rfc5424", + "mac": [ + "CC-F9-E4-A9-12-26" + ], + "ip": [ + "192.168.1.113" + ] + }, + "symantec_endpoint": { + "log": { + "occurrences": "4", + "sha-256": "5379732000000000000000000000000000000000000000000000000000000000", + "local_port": "80", + "user_name": "sampleuser4", + "remote_port": "33424", + "rule": "Block Unapproved Incoming Ports", + "md-5": "53797320000000000000000000000000", + "network_protocol": "TCP", + "traffic_direction": "Inbound", + "remote_host_ip": "192.168.1.1", + "remote_host_mac": "2C3AFDA79E71", + "domain_name": "SMPL", + "application": "C:/WINDOWS/system32/NTOSKRNL.EXE", + "local_host_ip": "192.168.1.113", + "action": "blocked", + "end": "2020-11-11 19:25:28", + "location": "Default", + "local_host_mac": "CCF9E4A91226", + "begin": "2020-11-11 19:25:21" + } + }, + "event": { + "original": "\u003c165\u003e1 2021-11-16T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - host-rfc5424,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "provider": "Agent Traffic Log", + "kind": "event", + "start": "2020-11-11T19:25:21.000Z", + "count": 4, + "action": "blocked", + "end": "2020-11-11T19:25:28.000Z", + "category": [ + "intrusion_detection", + "network", + "process" + ], + "type": [ + "connection", + "denied" + ] + }, + "user": { + "name": "sampleuser4", + "domain": "SMPL" + } +} \ No newline at end of file diff --git a/packages/symantec_endpoint/0.0.4/docs/README.md b/packages/symantec_endpoint/0.0.4/docs/README.md new file mode 100755 index 0000000000..b36bc33b35 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/docs/README.md @@ -0,0 +1,472 @@ +# Symantec Endpoint Protection Integration + +This integration is for Symantec Endpoint Protection (SEP) logs. It can be used +to receive logs sent by SEP over syslog or read logs exported to a text file. + +The log message is expected to be in CSV format. Syslog RFC3164 and RCF5424 +headers are allowed and will be parsed if present. The data is mapped to +ECS fields where applicable and the remaining fields are written under +`symantec_endpoint.log.*`. + +If a specific SEP log type is detected then `event.provider` is set (e.g. +`Agent Traffic Log`). + +## Syslog setup steps + +1. Enable this integration with the UDP input. +2. If the Symantec management server and Elastic Agent are running on different +hosts then configure the integration to listen on 0.0.0.0 so that it will accept +UDP packets on all interfaces. This makes the listening port reachable by the +Symantec server. +3. Configure the Symantec management server to send syslog to the Elastic Agent +that is running this integration. See [_Exporting data to a Syslog server_]( +https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html) +in the SEP guide. Use the IP address or hostname of the Elastic Agent as the +syslog server address. And use the listen port as the destination port (default +is 9008). + +## Log file setup steps + +1. Configure the Symantec management server to export log data to a text file. +See [Exporting log data to a text file](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-log-data-to-a-text-file-v8440135-d15e1197.html). +2. Enable this integration with the log file input. Configure the input to +read from the location where the log files are being written. The default is +`C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log`. + +Logs exported to text file always begin with the event time and severity +columns (e.g. `2020-01-16 08:00:31,Critical,...`). + +## Log samples + +Below are samples of some different SEP log types. These examples have had their +syslog header removed, but when sent over syslog these lines typically +begin with an RFC3164 header like +`<51>Oct 3 10:38:14 symantec.endpointprotection.test SymantecServer: ` + +### Administrative Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative + +`Site: SEPSite,Server: SEPServer,Domain: _domainOrigin,Admin: _originUser,Administrator log on succeeded` + +### Agent Activity Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Activity + +`Site: SEPSite,Server Name: exampleserver,Domain Name: Default,The management server received the client log successfully,TESTHOST01,sampleuser01,sample.example.com` + +### Agent Behavior Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Behavior + +`exampleserver,216.160.83.57,Blocked,[AC7-2.1] Block scripts - Caller MD5=d73b04b0e696b0945283defa3eee4538,File Write,Begin: 2019-09-06 15:18:56,End: 2019-09-06 15:18:56,Rule: Rule Name,9552,C:/ProgramData/bomgar-scc-0x5d4162a4/bomgar-scc.exe,0,No Module Name,C:/ProgramData/bomgar-scc-0x5d4162a4/start-cb-hook.bat,User: _originUser,Domain: _domainOrigin,Action Type: ,File size (bytes): 1403,Device ID: SCSI\Disk&Ven_WDC&Prod_WD10SPCX-75KHST0\4&1d8ead7a&0&000200` + +### Agent Packet Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Packet + +`exampleserver,Local Host: 81.2.69.143,Local Port: 138,Remote Host IP: 81.2.69.144.,Remote Host Name: ,Remote Port: 138,Outbound,Application: C:/windows/system32/NTOSKRNL.EXE,Action: Blocked` + +### Agent Proactive Detection Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection + +`Potential risk found,Computer name: exampleComputer,Detection type: Heuristic,First Seen: Symantec has known about this file approximately 2 days.,Application name: Propsim,Application type: 127,"Application version: ""3",0,6,"0""",Hash type: SHA-256,Application hash: SHA#1234567890,Company name: Dummy Technologies,File size (bytes): 343040,Sensitivity: 2,Detection score: 3,COH Engine Version: 8.1.1.1,Detection Submissions No,Permitted application reason: MDS,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: c:/programdata/oracle/java/javapath_target_2151967445/Host126,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: Off,Risk Level: High,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,f:\user\workspace\baseline package creator\release\Host214,'',Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2018-02-16 08:01:33,Inserted: 2018-02-16 08:02:52,End: 2018-02-16 08:01:33,Domain: Default,Group: My Company\SEPM Group Name,Server: SEPMServer,User: exampleUser,Source computer: ,Source IP:` + +### Agent Risk Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Risk + +`Security risk found,IP Address: 1.128.3.4,Computer name: exampleComputer,Source: Auto-Protect scan,Risk name: WS.Reputation.1,Occurrences: 1,e:\removablemediaaccessutility.exe,,Actual action: All actions failed,Requested action: Process terminate pending restart,Secondary action: Left alone,Event time: 2019-09-03 08:12:25,Inserted: 2019-09-03 08:14:03,End: 2019-09-03 08:12:25,Last update time: 2019-09-03 08:14:03,Domain: SEPMServerDoman,Group: My Company\GroupName,Server: SEPMServerName,User: exampleUser,Source computer: ,Source IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: e:/removablemediaaccessutility.exe,Prevalence: This file has been seen by fewer than 5 Symantec users.,Confidence: There is some evidence that this file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Permitted application reason: Not on the permitted application list,Application hash: SHA#1234567890,Hash type: SHA2,Company name: Company Name,Application name: Client for Symantec Endpoint Encryption,Application version: 11.1.2 (Build 1248),Application type: 127,File size (bytes): 4193981,Category set: Malware,Category type: Insight Network Threat,Location: GD-OTS Unmanaged Client - Online,Intensive Protection Level: 0,Certificate issuer: Symantec Corporation,Certificate signer: VeriSign Class 3 Code Signing 2010 CA,Certificate thumbprint: AB6EF1497C6E1C8CCC12F06E945A4954FB41AD45,Signing timestamp: 1482491555,Certificate serial number: AB2D17E62E571F288ACB5666FD3C5230` + +### Agent Scan Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan + +`Scan ID: 123456789,Begin: 2020-01-31 11:35:28,End: 2020-01-31 11:45:28,Started,Duration (seconds): 600,User1: exampleUser,User2: SYSTEM,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 916 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 0,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 916,Omitted: 0,Computer: _destinationHostname,IP Address: 1.128.3.4,Domain: exampleDomain,Group: Company\US\UserWS\Main Office,Server: SEPServer` + +### Agent Security Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security + +`server03,Event Description: ARP Cache Poison,Local Host IP: 0.0.0.0,Local Host MAC: 2DFF88AABBDC,Remote Host Name: ,Remote Host IP: 0.0.0.0,Remote Host MAC: AABBCCDDEEFF,Inbound,Unknown,Intrusion ID: 0,Begin: 2020-11-23 13:56:35,End Time: 2020-11-23 13:56:35,Occurrences: 1,Application: ,Location: Remote,User Name: bobby,Domain Name: local,Local Port: 0,Remote Port: 0,CIDS Signature ID: 99990,CIDS Signature string: ARP Cache Poison,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5:` + +### Agent System Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System + +`exampleHostname,Category: 0,CVE,New content update failed to download from the management server. Remote file path: https://server:443/content/{02335EF8-ADE1-4DD8-9F0F-2A9662352E65}/190815061/xdelta190815061_To_190816061.dax,Event time: 2019-08-19 07:14:38` + +### Agent Traffic Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic + +`host-plaintext,Local Host IP: 216.160.83.61,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 216.160.83.61,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000` + +### Policy Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy + +`Site: SEPSite,Server: exampleHostname,Domain: exampleDomain,Admin: exampleAdmin,Event Description: Policy has been edited: Edited shared Intrusion Prevention policy: SEPPolicyName,SEPPolicyName` + +### System Log + +Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System + +`Site: SEPSite,Server: exampleHostname,Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0.` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| file.x509.not_before | Time at which the certificate is first considered valid. | date | +| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.hostname | Hostname parsed from syslog header. | keyword | +| log.syslog.priority | | long | +| log.syslog.process.name | | keyword | +| log.syslog.process.pid | | long | +| log.syslog.structured_data | | flattened | +| log.syslog.version | | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.product | The product name of the observer. | constant_keyword | +| observer.type | The type of the observer the data is coming from. | constant_keyword | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.port | Port of the source. | long | +| symantec_endpoint.log.action | The action taken on the traffic, e.g. "Blocked". | keyword | +| symantec_endpoint.log.actual_action | Actual action from risk logs and proactive detection (SONAR) logs. | keyword | +| symantec_endpoint.log.admin | Name of the SEPM admin. | keyword | +| symantec_endpoint.log.api_name | API name that was blocked (agent behavior log). | keyword | +| symantec_endpoint.log.application | The full path name of the application involved. | keyword | +| symantec_endpoint.log.application_hash | The hash for this application. | keyword | +| symantec_endpoint.log.application_name | The application name. | keyword | +| symantec_endpoint.log.application_type | Application type (Trojan, key logger etc). | keyword | +| symantec_endpoint.log.application_version | The application version. | keyword | +| symantec_endpoint.log.begin | Start time of the event (also see event.start). | keyword | +| symantec_endpoint.log.caller_process_id | The ID of the process that triggers the logging. | keyword | +| symantec_endpoint.log.caller_process_name | The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". | keyword | +| symantec_endpoint.log.caller_return_address | The return address of the caller. This field allows the detection of the calling module that makes the API call. This is historically not used. You can expect Return Address to always be 0. | keyword | +| symantec_endpoint.log.caller_return_module_name | The module name of the caller. See CallerReturnAddress for more information. Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. | keyword | +| symantec_endpoint.log.category | Agent system log category (generally not populated by SEPM). | keyword | +| symantec_endpoint.log.category_set | Agent risk log category. | keyword | +| symantec_endpoint.log.category_type | Agent risk log category type. | keyword | +| symantec_endpoint.log.certificate_issuer | The certificate's issuer. | keyword | +| symantec_endpoint.log.certificate_serial_number | The certificate's serial number. | keyword | +| symantec_endpoint.log.certificate_signer | The certificate's signer. | keyword | +| symantec_endpoint.log.certificate_thumbprint | The certificate's thumbprint. | keyword | +| symantec_endpoint.log.cids_signature_id | The signature ID. | keyword | +| symantec_endpoint.log.cids_signature_string | The signature name. | keyword | +| symantec_endpoint.log.cids_signature_subid | The signature sub ID. | keyword | +| symantec_endpoint.log.coh_engine_version | TruScan engine version. | keyword | +| symantec_endpoint.log.command | Command sent from the SEPM. | keyword | +| symantec_endpoint.log.company_name | The company name from the application (used in agent risk logs). | keyword | +| symantec_endpoint.log.computer_name | Name of the host machine (used in agent risk/scan logs). | keyword | +| symantec_endpoint.log.confidence | The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." | keyword | +| symantec_endpoint.log.description | Description of the virus file. | keyword | +| symantec_endpoint.log.detection_score | Score of detection. | keyword | +| symantec_endpoint.log.detection_source | Source of the detection. | keyword | +| symantec_endpoint.log.detection_type | Type of detection (e.g. heuristic). | keyword | +| symantec_endpoint.log.device_id | The GUID of an external device (floppy disk, DVD, USB device, etc.). | keyword | +| symantec_endpoint.log.disposition | Good / Bad / Unknown / Not available. | keyword | +| symantec_endpoint.log.domain_name | SEPM domain name. | keyword | +| symantec_endpoint.log.download_site | The URL determined from where the image was downloaded. | keyword | +| symantec_endpoint.log.downloaded_by | The creator process of the dropper threat. | keyword | +| symantec_endpoint.log.duration_seconds | The length of the scan, in seconds. | keyword | +| symantec_endpoint.log.end | Start time of the event (also see event.end). | keyword | +| symantec_endpoint.log.event_description | Description of the event. Usually, the first line of the description is treated as the summary. | keyword | +| symantec_endpoint.log.event_source | The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. | keyword | +| symantec_endpoint.log.event_time | Time of event occurrence. | date | +| symantec_endpoint.log.file_path | The file path of the attacked file. | keyword | +| symantec_endpoint.log.file_size_bytes | File size of application. | keyword | +| symantec_endpoint.log.first_seen | The first seen date for the convicted application. | keyword | +| symantec_endpoint.log.group | SEPM client group name. | keyword | +| symantec_endpoint.log.hash_type | Application hash type (MD5, SHA1, SHA256 etc). | keyword | +| symantec_endpoint.log.infected | The number of files that the scan found that were infected. | long | +| symantec_endpoint.log.inserted | The time that the event was inserted into the database. | date | +| symantec_endpoint.log.intensive_protection_level | The High Intensity Detection Level. | keyword | +| symantec_endpoint.log.intrusion_id | Intrusion ID. | keyword | +| symantec_endpoint.log.intrusion_payload_url | The URL that hosted the payload. | keyword | +| symantec_endpoint.log.intrusion_url | The URL from the detection. | keyword | +| symantec_endpoint.log.ip_address | IP Address of the machine. | keyword | +| symantec_endpoint.log.last_update_time | The time on the server when the event is logged into the system or updated in the system (GMT). | date | +| symantec_endpoint.log.local_host | The host name of the client computer. | keyword | +| symantec_endpoint.log.local_host_ip | The IP address of the local computer. | keyword | +| symantec_endpoint.log.local_host_mac | The MAC address of the local computer. | keyword | +| symantec_endpoint.log.local_host_name | The host name of the client computer. | keyword | +| symantec_endpoint.log.local_port | The TCP/UDP port of the local computer. | keyword | +| symantec_endpoint.log.location | The location used when the event occurred. | keyword | +| symantec_endpoint.log.md-5 | The MD5 hash value. | keyword | +| symantec_endpoint.log.network_protocol | Localized string for Others/ TCP/ UDP/ ICMP. | keyword | +| symantec_endpoint.log.occurrences | The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. | keyword | +| symantec_endpoint.log.omitted | The number of files that were omitted. | long | +| symantec_endpoint.log.parameters | Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. | keyword | +| symantec_endpoint.log.permitted_application_reason | Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). | keyword | +| symantec_endpoint.log.policy_name | Name of the policy. | keyword | +| symantec_endpoint.log.prevalence | Number of users that have seen this. | keyword | +| symantec_endpoint.log.remote_host_ip | The IP address of the remote computer. | keyword | +| symantec_endpoint.log.remote_host_mac | The MAC address of the remote computer. | keyword | +| symantec_endpoint.log.remote_port | The TCP/UDP port of the remote computer. | keyword | +| symantec_endpoint.log.requested_action | Requested action by policy. | keyword | +| symantec_endpoint.log.risk_level | The risk level (high, med, low) for the convicted threat. | keyword | +| symantec_endpoint.log.risk_name | | keyword | +| symantec_endpoint.log.risk_type | Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. | keyword | +| symantec_endpoint.log.rule | The name of the rule that was triggered by the event. If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. | keyword | +| symantec_endpoint.log.scan_complete | Scan message when scan ended. | keyword | +| symantec_endpoint.log.scan_id | The scan ID provided by the agent. | keyword | +| symantec_endpoint.log.secondary_action | Secondary action requested by policy | keyword | +| symantec_endpoint.log.sensitivity | Engine sensitivity that produced this detection | long | +| symantec_endpoint.log.server | Name of the server. | keyword | +| symantec_endpoint.log.server_name | Name of the server. | keyword | +| symantec_endpoint.log.sha-256 | The SHA-256 hash value. | keyword | +| symantec_endpoint.log.signing_timestamp | The certificate's signature timestamp. | date | +| symantec_endpoint.log.site | SEPM site name. | keyword | +| symantec_endpoint.log.source | Scan source (e.g. scheduled). | keyword | +| symantec_endpoint.log.source_computer | Computer name where this event occurred. | keyword | +| symantec_endpoint.log.source_ip | IP address of the machine on which the event occurred. | keyword | +| symantec_endpoint.log.submission_recommended | Recommendation on whether to submit this detection to Symantec. | boolean | +| symantec_endpoint.log.threats | The number of threats that the scan found. | long | +| symantec_endpoint.log.total_files | The number of files scanned. | long | +| symantec_endpoint.log.traffic_direction | Unknown / Inbound / Outbound | keyword | +| symantec_endpoint.log.url_tracking_status | Network intrusion prevention status | keyword | +| symantec_endpoint.log.user1 | User when scan started. | keyword | +| symantec_endpoint.log.user2 | User when scan ended. | keyword | +| symantec_endpoint.log.user_name | | keyword | +| symantec_endpoint.log.web_domain | The web domain. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +An example event for `log` looks as following: + +```json +{ + "process": { + "executable": "C:/WINDOWS/system32/NTOSKRNL.EXE", + "hash": { + "sha256": "5379732000000000000000000000000000000000000000000000000000000000", + "md5": "53797320000000000000000000000000" + } + }, + "log": { + "syslog": { + "process": { + "name": "myproc", + "pid": 8710 + }, + "hostname": "192.0.2.1", + "priority": 165, + "version": 1 + } + }, + "destination": { + "geo": { + "name": "Default" + }, + "address": "192.168.1.113", + "port": 80, + "mac": "CC-F9-E4-A9-12-26", + "ip": "192.168.1.113" + }, + "rule": { + "name": "Block Unapproved Incoming Ports" + }, + "source": { + "address": "192.168.1.1", + "port": 33424, + "mac": "2C-3A-FD-A7-9E-71", + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "network": { + "community_id": "1:TbyoH4bYJO0/cP/YShIpq9J+Z3s=", + "transport": "tcp", + "type": "ipv4", + "direction": "ingress" + }, + "@timestamp": "2021-11-16T12:14:15.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "hash": [ + "53797320000000000000000000000000", + "5379732000000000000000000000000000000000000000000000000000000000" + ], + "ip": [ + "192.168.1.113", + "192.168.1.1" + ] + }, + "host": { + "name": "host-rfc5424", + "hostname": "host-rfc5424", + "mac": [ + "CC-F9-E4-A9-12-26" + ], + "ip": [ + "192.168.1.113" + ] + }, + "symantec_endpoint": { + "log": { + "occurrences": "4", + "sha-256": "5379732000000000000000000000000000000000000000000000000000000000", + "local_port": "80", + "user_name": "sampleuser4", + "remote_port": "33424", + "rule": "Block Unapproved Incoming Ports", + "md-5": "53797320000000000000000000000000", + "network_protocol": "TCP", + "traffic_direction": "Inbound", + "remote_host_ip": "192.168.1.1", + "remote_host_mac": "2C3AFDA79E71", + "domain_name": "SMPL", + "application": "C:/WINDOWS/system32/NTOSKRNL.EXE", + "local_host_ip": "192.168.1.113", + "action": "blocked", + "end": "2020-11-11 19:25:28", + "location": "Default", + "local_host_mac": "CCF9E4A91226", + "begin": "2020-11-11 19:25:21" + } + }, + "event": { + "original": "\u003c165\u003e1 2021-11-16T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - host-rfc5424,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "provider": "Agent Traffic Log", + "kind": "event", + "start": "2020-11-11T19:25:21.000Z", + "count": 4, + "action": "blocked", + "end": "2020-11-11T19:25:28.000Z", + "category": [ + "intrusion_detection", + "network", + "process" + ], + "type": [ + "connection", + "denied" + ] + }, + "user": { + "name": "sampleuser4", + "domain": "SMPL" + } +} +``` diff --git a/packages/symantec_endpoint/0.0.4/img/logo.svg b/packages/symantec_endpoint/0.0.4/img/logo.svg new file mode 100755 index 0000000000..1b87d1e578 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/img/logo.svg @@ -0,0 +1,35 @@ + + + +image/svg+xml diff --git a/packages/symantec_endpoint/0.0.4/img/symantec-endpoint-logs-overview.png b/packages/symantec_endpoint/0.0.4/img/symantec-endpoint-logs-overview.png new file mode 100755 index 0000000000..e2c8f8f867 Binary files /dev/null and b/packages/symantec_endpoint/0.0.4/img/symantec-endpoint-logs-overview.png differ diff --git a/packages/symantec_endpoint/0.0.4/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json b/packages/symantec_endpoint/0.0.4/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json new file mode 100755 index 0000000000..89e8d78857 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"symantec_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"symantec_endpoint.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c971e3e3-37d5-4171-93af-956925edabb1\":{\"columnOrder\":[\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\",\"5a933de5-3586-4844-88e8-4860130de30b\"],\"columns\":{\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5a933de5-3586-4844-88e8-4860130de30b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Log Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a933de5-3586-4844-88e8-4860130de30b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"5a933de5-3586-4844-88e8-4860130de30b\"],\"layerId\":\"c971e3e3-37d5-4171-93af-956925edabb1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"xAccessor\":\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"title\":\"Log Types over Time\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\":{\"columnOrder\":[\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"5564c2e5-debb-45e0-a159-0e7f229b2b94\",\"d2354973-ded4-4075-8afd-ae1835d1ea18\"],\"columns\":{\"21fba635-b5ea-4d84-af67-d710ec8ad164\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"5564c2e5-debb-45e0-a159-0e7f229b2b94\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"d2354973-ded4-4075-8afd-ae1835d1ea18\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"position\":\"right\",\"type\":\"lens_heatmap_legendConfig\"},\"shape\":\"heatmap\",\"valueAccessor\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"xAccessor\":\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"yAccessor\":\"5564c2e5-debb-45e0-a159-0e7f229b2b94\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"title\":\"Event Category/Type Matrix\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of process.executable\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"process.executable\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"w\":20,\"x\":0,\"y\":15},\"panelIndex\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"title\":\"Process Executables\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of file.path\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"file.path\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false,\"width\":654},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"w\":20,\"x\":20,\"y\":15},\"panelIndex\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"title\":\"File Paths\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"028dd220-5ea4-4938-a753-3a833f191e13\":{\"columnOrder\":[\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\"],\"columns\":{\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c10eaf4e-5353-41d6-937d-c45050d15294\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of host.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":100},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"isTransposed\":false},{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"isTransposed\":false}],\"layerId\":\"028dd220-5ea4-4938-a753-3a833f191e13\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"w\":8,\"x\":40,\"y\":15},\"panelIndex\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"title\":\"Hosts\",\"type\":\"lens\",\"version\":\"7.16.0\"}]", + "timeRestore": false, + "title": "[Symantec Endpoint Log] Overview", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/symantec_endpoint/0.0.4/manifest.yml b/packages/symantec_endpoint/0.0.4/manifest.yml new file mode 100755 index 0000000000..ca179ab213 --- /dev/null +++ b/packages/symantec_endpoint/0.0.4/manifest.yml @@ -0,0 +1,37 @@ +name: symantec_endpoint +title: Symantec Endpoint Protection +version: 0.0.4 +release: beta +description: Collect logs from Symantec Endpoint Protection with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security"] +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/logo.svg + title: Symantec + size: 216x216 + type: image/svg+xml +screenshots: + - src: /img/symantec-endpoint-logs-overview.png + title: Symantec Endpoint Logs Overview Dashboard + size: 2970x2234 + type: image/png +policy_templates: + - name: symantec + title: Symantec Endpoint Protection logs + description: Collect Symantec Endpoint Protection logs from file or over syslog. + inputs: + - type: logfile + title: Collect logs from file + description: Collect Symantec Endpoint Protection logs from file. + - type: tcp + title: Collect logs over TCP + description: Collect Symantec Endpoint Protection logs over TCP. + - type: udp + title: Collect logs over UDP + description: Collect Symantec Endpoint Protection logs over UDP. +owner: + github: elastic/security-external-integrations diff --git a/packages/ti_abusech/1.3.1/changelog.yml b/packages/ti_abusech/1.3.1/changelog.yml new file mode 100755 index 0000000000..5f4dd6afca --- /dev/null +++ b/packages/ti_abusech/1.3.1/changelog.yml @@ -0,0 +1,86 @@ +# newer versions go on top +- version: "1.3.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.2.3" + changes: + - description: Add mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.2.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.1" + changes: + - description: Fix field mapping conflicts in `threat.indicator.file.x509.not_before/not_after` + type: bugfix + link: https://github.com/elastic/integrations/pull/2893 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2445 +- version: "1.1.5" + changes: + - description: Removes extra tag from dashboards + type: bugfix + link: https://github.com/elastic/integrations/pull/2544 +- version: "1.1.4" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.2" + changes: + - description: Fixing typo in base-fields.yml + type: enhancement + link: https://github.com/elastic/integrations/pull/2331 +- version: "1.1.1" + changes: + - description: Update ECS fields for threat.feed.name + type: enhancement + link: https://github.com/elastic/integrations/pull/2293 +- version: "1.1.0" + changes: + - description: Adding dashboards and adding minor tweaks to pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/2072 +- version: "1.0.4" + changes: + - description: Bump minimum version in manifest + type: enhancement + link: https://github.com/elastic/integrations/pull/2072 +- version: "1.0.3" + changes: + - description: Bump minimum version + type: enhancement + link: https://github.com/elastic/integrations/pull/2063 +- version: "1.0.2" + changes: + - description: Update title and description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 +- version: "1.0.1" + changes: + - description: Fix invisible package icon + type: enhancement + link: https://github.com/elastic/integrations/pull/1939 +- version: "1.0.0" + changes: + - description: Initial Release + type: enhancement + link: https://github.com/elastic/integrations/pull/1866 diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.3.1/data_stream/malware/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..457acc00d6 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/agent/stream/httpjson.yml.hbs @@ -0,0 +1,38 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json + +response.split: + target: body.payloads + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.3.1/data_stream/malware/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..f0843a6497 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,156 @@ +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.malware + - fingerprint: + fields: + - abusech.malware.md5_hash + - abusech.malware.sha256_hash + target_field: "_id" + + ##################### + # Threat ECS Fields # + ##################### + - date: + field: abusech.malware.firstseen + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.malware?.firstseen != null" + - set: + field: threat.indicator.type + value: file + - rename: + field: abusech.malware.file_size + target_field: threat.indicator.file.size + ignore_missing: true + - rename: + field: abusech.malware.file_type + target_field: threat.indicator.file.type + ignore_missing: true + # This includes a direct link to malicious files, we do not want them to appear in Kibana + # in case they are accidently clicked. + - remove: + field: abusech.malware.urlhaus_download + ignore_missing: true + - convert: + field: threat.indicator.file.size + type: long + ignore_missing: true + - convert: + field: abusech.malware.virustotal.percent + type: float + ignore_missing: true + - rename: + field: abusech.malware.md5_hash + target_field: threat.indicator.file.hash.md5 + ignore_missing: true + - rename: + field: abusech.malware.sha256_hash + target_field: threat.indicator.file.hash.sha256 + ignore_missing: true + - rename: + field: abusech.malware.imphash + target_field: threat.indicator.file.pe.imphash + ignore_missing: true + - rename: + field: abusech.malware.ssdeep + target_field: threat.indicator.file.hash.ssdeep + ignore_missing: true + - rename: + field: abusech.malware.tlsh + target_field: threat.indicator.file.hash.tlsh + ignore_missing: true + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.md5}}}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.sha256}}}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.ssdeep}}}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null + - append: + field: related.hash + value: "{{{threat.indicator.file.pe.imphash}}}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.tlsh}}}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.malware.firstseen + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/fields/agent.yml b/packages/ti_abusech/1.3.1/data_stream/malware/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/fields/base-fields.yml b/packages/ti_abusech/1.3.1/data_stream/malware/fields/base-fields.yml new file mode 100755 index 0000000000..6803389c14 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.malware +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH Malware +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/fields/beats.yml b/packages/ti_abusech/1.3.1/data_stream/malware/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/fields/ecs.yml b/packages/ti_abusech/1.3.1/data_stream/malware/fields/ecs.yml new file mode 100755 index 0000000000..b819e36147 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/fields/ecs.yml @@ -0,0 +1,111 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: threat.indicator.file.size + type: long +- description: File type (file, dir, or symlink). + name: threat.indicator.file.type + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: threat.indicator.file.pe.imphash + type: keyword +- description: SSDEEP hash. + name: threat.indicator.file.hash.ssdeep + type: keyword +- description: The file's import tlsh, if available. + name: threat.indicator.file.hash.tlsh + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/fields/fields.yml b/packages/ti_abusech/1.3.1/data_stream/malware/fields/fields.yml new file mode 100755 index 0000000000..970fa42a04 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/fields/fields.yml @@ -0,0 +1,24 @@ +- name: abusech.malware + type: group + description: All fields related to AbuseCH URL indicators. + fields: + - name: signature + type: keyword + description: > + Malware familiy. + + - name: virustotal.result + type: keyword + description: > + AV detection ration. + + - name: virustotal.percent + type: float + description: > + AV detection in percent. + + - name: virustotal.link + type: keyword + description: > + Link to the Virustotal report. + diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/manifest.yml b/packages/ti_abusech/1.3.1/data_stream/malware/manifest.yml new file mode 100755 index 0000000000..9b986685b1 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/manifest.yml @@ -0,0 +1,68 @@ +type: logs +title: AbuseCH Malware logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH Malware API endpoint + multi: false + required: true + show_user: false + default: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-malware + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH Malware logs + description: Collect AbuseCH Malware logs diff --git a/packages/ti_abusech/1.3.1/data_stream/malware/sample_event.json b/packages/ti_abusech/1.3.1/data_stream/malware/sample_event.json new file mode 100755 index 0000000000..7f6f1afed4 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malware/sample_event.json @@ -0,0 +1,69 @@ +{ + "@timestamp": "2022-04-11T08:43:51.252Z", + "abusech": { + "malware": {} + }, + "agent": { + "ephemeral_id": "3c096aaa-3fd9-4560-87fe-375b99890402", + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:43:51.252Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-04-11T08:43:52Z", + "kind": "enrichment", + "original": "{\"file_size\":\"1563\",\"file_type\":\"unknown\",\"firstseen\":\"2021-10-05 04:17:02\",\"imphash\":null,\"md5_hash\":\"9cd5a4f0231a47823c4adba7c8ef370f\",\"sha256_hash\":\"7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2\",\"signature\":null,\"ssdeep\":\"48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n\",\"tlsh\":\"T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2/\",\"virustotal\":null}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "9cd5a4f0231a47823c4adba7c8ef370f", + "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2", + "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n", + "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "9cd5a4f0231a47823c4adba7c8ef370f", + "sha256": "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2", + "ssdeep": "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n", + "tlsh": "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1" + }, + "pe": {}, + "size": 1563, + "type": "unknown" + }, + "first_seen": "2021-10-05T04:17:02.000Z", + "type": "file" + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..1684323a35 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/x-www-form-urlencoded +- set: + target: url.params.query + value: get_recent +- set: + target: url.params.selector + value: time + +response.split: + target: body.data + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..3b5f298c44 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,242 @@ +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.malwarebazaar + - fingerprint: + fields: + - abusech.malwarebazaar.md5_hash + - abusech.malwarebazaar.sha256_hash + target_field: "_id" + + ##################### + # Threat ECS Fields # + ##################### + - date: + field: abusech.malwarebazaar.first_seen + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.malwarebazaar?.first_seen != null" + - date: + field: abusech.malwarebazaar.last_seen + target_field: threat.indicator.last_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.malwarebazaar?.last_seen != null" + - set: + field: threat.indicator.type + value: file + - rename: + field: abusech.malwarebazaar.file_name + target_field: threat.indicator.file.name + ignore_missing: true + - rename: + field: abusech.malwarebazaar.file_type_mime + target_field: threat.indicator.file.mime_type + ignore_missing: true + - rename: + field: abusech.malwarebazaar.reporter + target_field: threat.indicator.provider + ignore_missing: true + - rename: + field: abusech.malwarebazaar.origin_country + target_field: threat.indicator.geo.country_iso_code + ignore_missing: true + - rename: + field: abusech.malwarebazaar.signature + target_field: threat.software.alias + ignore_missing: true + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.subject_cn + target_field: threat.indicator.file.x509.subject.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.issuer_cn + target_field: threat.indicator.file.x509.issuer.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.algorithm + target_field: threat.indicator.file.x509.public_key_algorithm + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.valid_from + target_field: threat.indicator.file.x509.not_before + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.valid_to + target_field: threat.indicator.file.x509.not_after + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.serial_number + target_field: threat.indicator.file.x509.serial_number + - rename: + field: abusech.malwarebazaar.file_size + target_field: threat.indicator.file.size + ignore_missing: true + - rename: + field: abusech.malwarebazaar.file_type + target_field: threat.indicator.file.extension + ignore_missing: true + - rename: + field: abusech.malwarebazaar.md5_hash + target_field: threat.indicator.file.hash.md5 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.sha256_hash + target_field: threat.indicator.file.hash.sha256 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.sha1_hash + target_field: threat.indicator.file.hash.sha1 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.sha3_384_hash + target_field: threat.indicator.file.hash.sha384 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.imphash + target_field: threat.indicator.file.pe.imphash + ignore_missing: true + - rename: + field: abusech.malwarebazaar.ssdeep + target_field: threat.indicator.file.hash.ssdeep + ignore_missing: true + - rename: + field: abusech.malwarebazaar.tlsh + target_field: threat.indicator.file.hash.tlsh + ignore_missing: true + - rename: + field: abusech.malwarebazaar.telfhash + target_field: threat.indicator.file.elf.telfhash + ignore_missing: true + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.md5 }}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.sha256 }}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.ssdeep }}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null + - append: + field: related.hash + value: "{{ threat.indicator.file.pe.imphash }}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null + - append: + field: related.hash + value: "{{ threat.indicator.file.elf.telfhash }}" + if: ctx?.threat?.indicator?.file?.elf?.telfhash != null + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.tlsh }}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null + - convert: + field: threat.indicator.file.size + type: long + ignore_missing: true + - convert: + field: abusech.malwarebazaar.intelligence.downloads + type: long + ignore_missing: true + - convert: + field: abusech.malwarebazaar.intelligence.uploads + type: long + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.malwarebazaar.first_seen + - abusech.malwarebazaar.last_seen + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/agent.yml b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/base-fields.yml b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/base-fields.yml new file mode 100755 index 0000000000..d71e6e59d4 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.malwarebazaar +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH MalwareBazaar +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/beats.yml b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/ecs.yml b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/ecs.yml new file mode 100755 index 0000000000..685f7565cb --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/ecs.yml @@ -0,0 +1,160 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: threat.indicator.file.size + type: long +- description: File type (file, dir, or symlink). + name: threat.indicator.file.type + type: keyword +- description: Name of the file including the extension, without the directory. + name: threat.indicator.file.name + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.file.extension + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + name: threat.indicator.file.mime_type + type: keyword +- description: |- + The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. + While not required, you can use a MITRE ATT&CK® associated software description. + name: threat.software.alias + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: SSDEEP hash. + name: threat.indicator.file.hash.ssdeep + type: keyword +- description: The file's sha384 hash, if available. + name: threat.indicator.file.hash.sha384 + type: keyword +- description: The file's import tlsh, if available. + name: threat.indicator.file.hash.tlsh + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: threat.indicator.file.pe.imphash + type: keyword +- description: telfhash symbol hash for ELF file. + name: threat.indicator.file.elf.telfhash + type: keyword +- description: List of common names (CN) of subject. + name: threat.indicator.file.x509.subject.common_name + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: threat.indicator.file.x509.issuer.common_name + type: keyword +- description: Algorithm used to generate the public key. + name: threat.indicator.file.x509.public_key_algorithm + type: keyword +- description: Time at which the certificate is first considered valid. + name: threat.indicator.file.x509.not_before + type: date +- description: Time at which the certificate is no longer considered valid. + name: threat.indicator.file.x509.not_after + type: date +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: threat.indicator.file.x509.serial_number + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: Country ISO code. + name: threat.indicator.geo.country_iso_code + type: keyword diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/fields.yml b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/fields.yml new file mode 100755 index 0000000000..8fab848b82 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/fields/fields.yml @@ -0,0 +1,45 @@ +- name: abusech.malwarebazaar + type: group + description: All fields related to AbuseCH URL indicators. + fields: + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware sample. + + - name: intelligence + type: group + fields: + - name: downloads + type: long + description: > + Number of downloads from MalwareBazaar. + + - name: uploads + type: long + description: > + Number of uploads from MalwareBazaar. + + - name: mail + type: group + fields: + - name: Generic + type: keyword + description: > + Malware seen in generic spam traffic. + + - name: IT + type: keyword + description: > + Malware seen in IT spam traffic. + + - name: anonymous + type: long + description: > + Identifies if the sample was submitted anonymously. + + - name: code_sign + type: keyword + description: > + Code signing information for the sample. + diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/manifest.yml b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/manifest.yml new file mode 100755 index 0000000000..61b6d55edc --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/manifest.yml @@ -0,0 +1,68 @@ +type: logs +title: AbuseCH MalwareBazaar logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH MalwareBazaar API endpoint + multi: false + required: true + show_user: false + default: https://mb-api.abuse.ch/api/v1/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-malwarebazaar + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH MalwareBazaar logs + description: Collect AbuseCH MalwareBazaar logs diff --git a/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/sample_event.json b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/sample_event.json new file mode 100755 index 0000000000..b4249697f8 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/malwarebazaar/sample_event.json @@ -0,0 +1,95 @@ +{ + "@timestamp": "2022-04-11T08:44:21.828Z", + "abusech": { + "malwarebazaar": { + "anonymous": 0, + "code_sign": [], + "intelligence": { + "downloads": 11, + "uploads": 1 + }, + "tags": [ + "exe", + "RedLineStealer" + ] + } + }, + "agent": { + "ephemeral_id": "15657330-8e8b-49be-b82d-529320d9c53c", + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_abusech.malwarebazaar", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:44:21.828Z", + "dataset": "ti_abusech.malwarebazaar", + "ingested": "2022-04-11T08:44:22Z", + "kind": "enrichment", + "original": "{\"anonymous\":0,\"code_sign\":[],\"dhash_icon\":null,\"file_name\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe\",\"file_size\":432640,\"file_type\":\"exe\",\"file_type_mime\":\"application/x-dosexec\",\"first_seen\":\"2021-10-05 14:02:45\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"1fc1c2997c8f55ac10496b88e23f5320\",\"origin_country\":\"FR\",\"reporter\":\"abuse_ch\",\"sha1_hash\":\"42c7153680d7402e56fe022d1024aab49a9901a0\",\"sha256_hash\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28\",\"sha3_384_hash\":\"d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955\",\"signature\":\"RedLineStealer\",\"ssdeep\":\"12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL\",\"tags\":[\"exe\",\"RedLineStealer\"],\"telfhash\":null,\"tlsh\":\"T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "1fc1c2997c8f55ac10496b88e23f5320", + "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28", + "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL", + "f34d5f2d4577ed6d9ceec516c1f5a744", + "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-malwarebazaar" + ], + "threat": { + "indicator": { + "file": { + "elf": {}, + "extension": "exe", + "hash": { + "md5": "1fc1c2997c8f55ac10496b88e23f5320", + "sha1": "42c7153680d7402e56fe022d1024aab49a9901a0", + "sha256": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28", + "sha384": "d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955", + "ssdeep": "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL", + "tlsh": "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479" + }, + "mime_type": "application/x-dosexec", + "name": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe", + "pe": { + "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744" + }, + "size": 432640 + }, + "first_seen": "2021-10-05T14:02:45.000Z", + "geo": { + "country_iso_code": "FR" + }, + "provider": "abuse_ch", + "type": "file" + }, + "software": { + "alias": "RedLineStealer" + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.1/data_stream/url/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.3.1/data_stream/url/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..92be22f0b6 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/agent/stream/httpjson.yml.hbs @@ -0,0 +1,38 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json + +response.split: + target: body.urls + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/1.3.1/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.3.1/data_stream/url/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..1765d7608a --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,123 @@ +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.0.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.url + - fingerprint: + fields: + - abusech.url.id + target_field: "_id" + + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threat.indicator.type + value: url + - date: + field: abusech.url.date_added + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + if: "ctx.abusech?.url?.date_added != null" + - uri_parts: + field: abusech.url.url + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + - set: + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: abusech.url.urlhaus_reference + target_field: threat.indicator.reference + ignore_missing: true + + # Host can be both IP addresses and domain names + - grok: + field: abusech.url.host + patterns: + - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})" + ignore_failure: true + - rename: + field: abusech.url.reporter + target_field: threat.indicator.provider + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - convert: + field: abusech.url.larted + type: boolean + ignore_missing: true + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.url.date_added + - abusech.url.url + - abusech.url.host + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.3.1/data_stream/url/fields/agent.yml b/packages/ti_abusech/1.3.1/data_stream/url/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/1.3.1/data_stream/url/fields/base-fields.yml b/packages/ti_abusech/1.3.1/data_stream/url/fields/base-fields.yml new file mode 100755 index 0000000000..516451aa4c --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.url +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH URL +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/1.3.1/data_stream/url/fields/beats.yml b/packages/ti_abusech/1.3.1/data_stream/url/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/1.3.1/data_stream/url/fields/ecs.yml b/packages/ti_abusech/1.3.1/data_stream/url/fields/ecs.yml new file mode 100755 index 0000000000..40047f4b1f --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/fields/ecs.yml @@ -0,0 +1,133 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: Port of the request, such as 443. + name: threat.indicator.url.port + type: long +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: threat.indicator.url.query + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword diff --git a/packages/ti_abusech/1.3.1/data_stream/url/fields/fields.yml b/packages/ti_abusech/1.3.1/data_stream/url/fields/fields.yml new file mode 100755 index 0000000000..63f361d48e --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/fields/fields.yml @@ -0,0 +1,49 @@ +- name: abusech.url + type: group + description: All fields related to AbuseCH URL indicators. + fields: + - name: id + type: keyword + description: > + The ID of the indicator. + + - name: urlhaus_reference + type: keyword + description: > + Link to URLhaus entry. + + - name: url_status + type: keyword + description: > + The current status of the URL. Possible values are: online, offline and unknown. + + - name: threat + type: keyword + description: > + The threat corresponding to this malware URL. + + - name: reporter + type: keyword + description: > + The Twitter handle of the reporter that has reported this malware URL (or anonymous). + + - name: larted + type: boolean + description: > + Indicates whether the malware URL has been reported to the hosting provider (true or false) + + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware URL + + - name: blacklists.spamhaus_dbl + type: keyword + description: > + If the indicator is listed on the spamhaus blacklist. + + - name: blacklists.surbl + type: keyword + description: > + If the indicator is listed on the surbl blacklist. + diff --git a/packages/ti_abusech/1.3.1/data_stream/url/manifest.yml b/packages/ti_abusech/1.3.1/data_stream/url/manifest.yml new file mode 100755 index 0000000000..d138d7f3ac --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/manifest.yml @@ -0,0 +1,68 @@ +type: logs +title: AbuseCH URL logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH URL API endpoint + multi: false + required: true + show_user: false + default: https://urlhaus-api.abuse.ch/v1/urls/recent/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-url + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH URL logs + description: Collect AbuseCH URL logs diff --git a/packages/ti_abusech/1.3.1/data_stream/url/sample_event.json b/packages/ti_abusech/1.3.1/data_stream/url/sample_event.json new file mode 100755 index 0000000000..2ed40825e3 --- /dev/null +++ b/packages/ti_abusech/1.3.1/data_stream/url/sample_event.json @@ -0,0 +1,71 @@ +{ + "@timestamp": "2022-04-11T08:44:51.227Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "1656008", + "larted": true, + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "7dd3429b-dcc4-46c1-8b32-b3d1452126fd", + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:44:51.227Z", + "dataset": "ti_abusech.url", + "ingested": "2022-04-11T08:44:52Z", + "kind": "enrichment", + "original": "{\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"date_added\":\"2021-10-05 13:57:05 UTC\",\"host\":\"120.85.169.98\",\"id\":\"1656008\",\"larted\":\"true\",\"reporter\":\"tammeto\",\"tags\":null,\"threat\":\"malware_download\",\"url\":\"http://120.85.169.98:55871/mozi.m\",\"url_status\":\"online\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/1656008/\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2021-10-05T13:57:05.000Z", + "ip": "120.85.169.98", + "provider": "tammeto", + "reference": "https://urlhaus.abuse.ch/url/1656008/", + "type": "url", + "url": { + "domain": "120.85.169.98", + "extension": "m", + "full": "http://120.85.169.98:55871/mozi.m", + "original": "http://120.85.169.98:55871/mozi.m", + "path": "/mozi.m", + "port": 55871, + "scheme": "http" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.1/docs/README.md b/packages/ti_abusech/1.3.1/docs/README.md new file mode 100755 index 0000000000..7f0e4de6ec --- /dev/null +++ b/packages/ti_abusech/1.3.1/docs/README.md @@ -0,0 +1,262 @@ +# AbuseCH integration + +This integration is for AbuseCH logs. It includes the following datasets for retrieving logs from the AbuseCH API: + +- `url` dataset: Supports URL based indicators from AbuseCH API. +- `malware` dataset: Supports Malware based indicators from AbuseCH API. +- `malwarebazaar` dataset: Supports indicators from the MalwareBazaar from AbuseCH. + +## Logs + +### URL + +The AbuseCH URL data_stream retrieves threat intelligence indicators from the URL API endpoint `https://urlhaus-api.abuse.ch/v1/urls/recent/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.url.blacklists.spamhaus_dbl | If the indicator is listed on the spamhaus blacklist. | keyword | +| abusech.url.blacklists.surbl | If the indicator is listed on the surbl blacklist. | keyword | +| abusech.url.id | The ID of the indicator. | keyword | +| abusech.url.larted | Indicates whether the malware URL has been reported to the hosting provider (true or false) | boolean | +| abusech.url.reporter | The Twitter handle of the reporter that has reported this malware URL (or anonymous). | keyword | +| abusech.url.tags | A list of tags associated with the queried malware URL | keyword | +| abusech.url.threat | The threat corresponding to this malware URL. | keyword | +| abusech.url.url_status | The current status of the URL. Possible values are: online, offline and unknown. | keyword | +| abusech.url.urlhaus_reference | Link to URLhaus entry. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | + + +The AbuseCH malware data_stream retrieves threat intelligence indicators from the payload API endpoint `https://urlhaus-api.abuse.ch/v1/payloads/recent/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.malware.signature | Malware familiy. | keyword | +| abusech.malware.virustotal.link | Link to the Virustotal report. | keyword | +| abusech.malware.virustotal.percent | AV detection in percent. | float | +| abusech.malware.virustotal.result | AV detection ration. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | +| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | +| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | + + +The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators from the MalwareBazaar API endpoint `https://mb-api.abuse.ch/api/v1/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.malwarebazaar.anonymous | Identifies if the sample was submitted anonymously. | long | +| abusech.malwarebazaar.code_sign | Code signing information for the sample. | keyword | +| abusech.malwarebazaar.intelligence.downloads | Number of downloads from MalwareBazaar. | long | +| abusech.malwarebazaar.intelligence.mail.Generic | Malware seen in generic spam traffic. | keyword | +| abusech.malwarebazaar.intelligence.mail.IT | Malware seen in IT spam traffic. | keyword | +| abusech.malwarebazaar.intelligence.uploads | Number of uploads from MalwareBazaar. | long | +| abusech.malwarebazaar.tags | A list of tags associated with the queried malware sample. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.sha384 | The file's sha384 hash, if available. | keyword | +| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | +| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | +| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| threat.indicator.file.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| threat.indicator.file.x509.not_before | Time at which the certificate is first considered valid. | date | +| threat.indicator.file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| threat.indicator.file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| threat.indicator.file.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | diff --git a/packages/ti_abusech/1.3.1/img/abusech2.svg b/packages/ti_abusech/1.3.1/img/abusech2.svg new file mode 100755 index 0000000000..6a0c76dd2c --- /dev/null +++ b/packages/ti_abusech/1.3.1/img/abusech2.svg @@ -0,0 +1,76 @@ + + + + diff --git a/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json b/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json new file mode 100755 index 0000000000..59a4a7e24c --- /dev/null +++ b/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the AbuseCH integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH URLs (This Page)](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420)** \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\":{\"columnOrder\":[\"0389e125-4ae6-412a-a4af-2fa28f18c412\"],\"columns\":{\"0389e125-4ae6-412a-a4af-2fa28f18c412\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.spamhaus_dbl: * and not abusech.url.blacklists.spamhaus_dbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on Spamhaus DBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0389e125-4ae6-412a-a4af-2fa28f18c412\",\"layerId\":\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"title\":\"Spamhaus Count [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\":{\"columnOrder\":[\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\"],\"columns\":{\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.surbl: * and not abusech.url.blacklists.surbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on SURBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\",\"layerId\":\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"title\":\"Surbl Counter [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8f36a8c1-19df-4eba-8fa5-4f259d349375\":{\"columnOrder\":[\"efd6bc64-ffcd-42fe-8218-0795986addc4\"],\"columns\":{\"efd6bc64-ffcd-42fe-8218-0795986addc4\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status: \\\"online\\\" \"},\"isBucketed\":false,\"label\":\"URL's Online\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"efd6bc64-ffcd-42fe-8218-0795986addc4\",\"layerId\":\"8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"title\":\"URLs Online [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471ad94f-c181-4ffb-a640-1666974adb33\":{\"columnOrder\":[\"8cd8034f-16bf-4a7a-b816-950498dc1f90\"],\"columns\":{\"8cd8034f-16bf-4a7a-b816-950498dc1f90\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status:\\\"offline\\\" \"},\"isBucketed\":false,\"label\":\"URL's Offline\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8cd8034f-16bf-4a7a-b816-950498dc1f90\",\"layerId\":\"471ad94f-c181-4ffb-a640-1666974adb33\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"title\":\"URLs Offline [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs AbuseCH] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json new file mode 100755 index 0000000000..c27db69f53 --- /dev/null +++ b/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the AbuseCH integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH Files (This Page)](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":46,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"b8c9d8e0-3bb8-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"118b51de-bd55-4ed6-b916-c939ad73b2c3\":{\"columnOrder\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\",\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\"],\"columns\":{\"1ada77b6-5741-44ff-a00d-4653fca22f84\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top Countries\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Countries\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\"],\"layerId\":\"118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Top Countries [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"title\":\"Top Countries [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Based on count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Most seen indicator tags\",\"field\":\"abusech.malwarebazaar.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Most seen indicator tags [Logs AbuseCH]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":19,\"i\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"w\":20,\"x\":7,\"y\":27},\"panelIndex\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs AbuseCH] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d1788a2e-c400-4d7b-9251-a8e5a806b6ef:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + }, + { + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json new file mode 100755 index 0000000000..103067d9d5 --- /dev/null +++ b/packages/ti_abusech/1.3.1/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the AbuseCH integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[AbuseCH Overview (This Page)](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the AbuseCH integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from AbuseCH. \\n\\nIt shows how many parts has been enabled (URL, Malware and MalwareBazaar), the ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from AbuseCH.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs AbuseCH] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.1/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.3.1/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json new file mode 100755 index 0000000000..7cf7c3514a --- /dev/null +++ b/packages/ti_abusech/1.3.1/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "AbuseCH" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.1/manifest.yml b/packages/ti_abusech/1.3.1/manifest.yml new file mode 100755 index 0000000000..4433772e82 --- /dev/null +++ b/packages/ti_abusech/1.3.1/manifest.yml @@ -0,0 +1,26 @@ +name: ti_abusech +title: AbuseCH +version: 1.3.1 +release: ga +description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/abusech2.svg + title: AbuseCH + size: 512x512 + type: image/svg+xml +policy_templates: + - name: ti_abusech + title: AbuseCH API + description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. + inputs: + - type: httpjson + title: "Collect AbuseCH logs via API" + description: "Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent." +owner: + github: elastic/security-external-integrations diff --git a/packages/ti_cybersixgill/1.4.1/changelog.yml b/packages/ti_cybersixgill/1.4.1/changelog.yml new file mode 100755 index 0000000000..9b54a27f92 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/changelog.yml @@ -0,0 +1,41 @@ +# newer versions go on top +- version: "1.4.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.4.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.3.2" + changes: + - description: Adding field mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.3.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.3.0" + changes: + - description: Moving integration to use the TAXII service rather than python scripts + type: enhancement + link: https://github.com/elastic/integrations/pull/2771 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2447 +- version: "1.1.0" + changes: + - description: Adds dashboards, new logo and new threat ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2332 +- version: "1.0.0" + changes: + - description: initial implementation + type: enhancement + link: https://github.com/elastic/integrations/pull/1762 diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_cybersixgill/1.4.1/data_stream/threat/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..b1c69c9385 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -0,0 +1,62 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.added_after + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]' + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]' + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cybersixgill/1.4.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..1c7bf729b4 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,269 @@ +--- +description: Initial pipeline for parsing Cybersixgill webhooks +processors: + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: cybersixgill + - remove: + field: + - cybersixgill.extensions + ignore_missing: true + - drop: + if: ctx?.cybersixgill?.type != "indicator" + - fingerprint: + fields: + - cybersixgill.id + target_field: "_id" + ignore_missing: true + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - date: + field: cybersixgill.created + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.cybersixgill?.created != null" + - date: + field: cybersixgill.modified + target_field: threat.indicator.last_seen + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.cybersixgill?.modified != null" + - date: + field: cybersixgill.valid_from + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx.cybersixgill?.valid_from != null" + - grok: + field: cybersixgill.pattern + patterns: + - "^\\[%{MD5}\\]" + - "^\\[%{MD5} OR %{SHA1}\\]" + - "^\\[%{MD5} OR %{SHA1} OR %{SHA256}\\]" + - "^\\[%{SHA1}\\]" + - "^\\[%{SHA1} OR %{SHA256}\\]" + - "^\\[%{SHA256}\\]" + - "^\\[%{DATA:threat.indicator.type}:value%{SPACE}=%{SPACE}'%{DATA:_temp_.threatvalue}'\\]" + pattern_definitions: + MD5: "%{DATA:threat.indicator.type}:hashes.MD5%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.md5}'" + SHA1: "%{DATA:threat.indicator.type}:hashes.'SHA-1'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha1}'" + SHA256: "%{DATA:threat.indicator.type}:hashes.'SHA-256'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha256}'" + if: ctx.cybersixgill?.pattern != null + - rename: + field: _temp_.threatvalue + target_field: threat.indicator.ip + ignore_missing: true + if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" + - uri_parts: + field: _temp_.threatvalue + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.threat?.indicator?.type == 'url' + - rename: + field: _temp_.threatvalue + target_field: threat.indicator.email.address + ignore_missing: true + if: ctx.threat?.indicator?.type == 'email-addr' + - rename: + field: _temp_.threatvalue + target_field: threat.indicator.url.domain + ignore_missing: true + if: ctx.threat?.indicator?.type == 'domain-name' + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + - rename: + field: cybersixgill.labels + target_field: _temp_.tags + ignore_missing: true + - rename: + field: cybersixgill.sixgill_severity + target_field: event.severity + ignore_missing: true + - rename: + field: cybersixgill.description + target_field: threat.indicator.description + ignore_missing: true + - rename: + field: cybersixgill.sixgill_feedname + target_field: cybersixgill.feedname + ignore_missing: true + - rename: + field: cybersixgill.sixgill_source + target_field: threat.indicator.provider + ignore_missing: true + - rename: + field: cybersixgill.sixgill_posttitle + target_field: cybersixgill.title + ignore_missing: true + - rename: + field: cybersixgill.sixgill_actor + target_field: cybersixgill.actor + ignore_missing: true + - set: + field: threat.indicator.reference + value: "https://portal.cybersixgill.com/#/search?q=_id:{{cybersixgill.sixgill_postid}}" + if: ctx.cybersixgill?.sixgill_postid != null + - convert: + field: cybersixgill.sixgill_confidence + type: integer + target_field: threat.indicator.confidence + ignore_missing: true + - script: + lang: painless + if: ctx.cybersixgill?.external_references != null + description: > + Adds MITRE and VirusTotal fields + source: > + def refs = ctx.cybersixgill.external_references; + ctx.cybersixgill.mitre = new HashMap(); + ctx.cybersixgill.virustotal = new HashMap(); + ctx.threat.tactic = new HashMap(); + for (def ref : refs) { + if (ref?.description != null) { + ctx.cybersixgill.mitre.description = ref.description; + } + if (ref?.mitre_attack_tactic != null) { + ctx.threat.tactic.name = ref.mitre_attack_tactic; + } + if (ref?.mitre_attack_tactic_id != null) { + ctx.threat.tactic.id = ref.mitre_attack_tactic_id; + } + if (ref?.mitre_attack_tactic_url != null) { + ctx.threat.tactic.reference = ref.mitre_attack_tactic_url; + } + if (ref?.positive_rate != null) { + ctx.cybersixgill.virustotal.pr = ref.positive_rate; + } + if (ref?.url != null) { + ctx.cybersixgill.virustotal.url = ref.url; + } + } + - foreach: + field: _temp_.tags + processor: + append: + field: tags + value: "{{_ingest._value}}" + ignore_missing: true + ignore_failure: true + if: ctx._temp_?.tags != null + - script: + lang: painless + if: ctx.threat?.indicator?.confidence != null + description: > + Normalize confidence level. + source: > + def value = ctx.threat.indicator.confidence; + if (value <= 0.0 || value > 100.0) { + ctx.threat.indicator.confidence = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx.threat.indicator.confidence = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx.threat.indicator.confidence = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx.threat.indicator.confidence = "High"; + return; + } + - script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - _temp_ + - cybersixgill.sixgill_postid + - cybersixgill.extensions + - cybersixgill.spec_version + - cybersixgill.valid_from + - cybersixgill.created + - cybersixgill.modified + - cybersixgill.lang + - cybersixgill.name + - cybersixgill.pattern_type + - cybersixgill.external_references + - cybersixgill.confidence + - cybersixgill.sixgill_confidence + - cybersixgill.id + - cybersixgill.indicator_types + - cybersixgill.pattern + - cybersixgill.sixgill_feedid + - cybersixgill.sixgill_post_virustotallink + - cybersixgill.type + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/agent.yml b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/agent.yml new file mode 100755 index 0000000000..845b84ed9c --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/base-fields.yml b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/base-fields.yml new file mode 100755 index 0000000000..9b559d71a6 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/base-fields.yml @@ -0,0 +1,37 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_cybersixgill +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_cybersixgill.threat +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: Cybersixgill Darkfeed +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/ecs.yml new file mode 100755 index 0000000000..2d8f273afc --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/ecs.yml @@ -0,0 +1,170 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: threat.indicator.url.fragment + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: |- + Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + Expected values are: + * Not Specified + * None + * Low + * Medium + * High + name: threat.indicator.confidence + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + name: threat.tactic.name + type: keyword +- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.id + type: keyword +- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.reference + type: keyword diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/fields.yml b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/fields.yml new file mode 100755 index 0000000000..8f92ebcd56 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/fields/fields.yml @@ -0,0 +1,32 @@ +- name: cybersixgill + type: group + release: beta + fields: + - name: feedname + type: keyword + description: | + Name of the Threat Intel feed. + - name: title + type: keyword + description: | + The title of the indicator. + - name: actor + type: keyword + description: | + The related actor for the indicator. + - name: valid_from + type: date + description: | + At what date the indicator is valid from. + - name: virustotal.pr + type: keyword + description: | + The Virustotal positive rate. + - name: virustotal.url + type: keyword + description: | + The related Virustotal URL. + - name: mitre.description + type: keyword + description: | + The mitre description of the indicator diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/manifest.yml b/packages/ti_cybersixgill/1.4.1/data_stream/threat/manifest.yml new file mode 100755 index 0000000000..2172810090 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/manifest.yml @@ -0,0 +1,88 @@ +type: logs +title: Cybersixgill Darkfeed Logs +streams: + - input: httpjson + vars: + - name: username + type: text + title: Cybersixgill Darkfeed Client ID + multi: false + required: true + show_user: true + - name: password + type: password + title: Cybersixgill Darkfeed Client Secret + multi: false + required: true + show_user: true + - name: url + type: text + title: Cybersixgill Darkfeed URL + multi: false + required: true + show_user: false + default: https://api.cybersixgill.com/taxii/sixgill-taxii/collections/102/objects + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 2160h + description: How far back to look for indicators the first time the agent is started. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - ti_cybersixgill + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Cybersixgill Darkfeed Logs + description: Collect Cybersixgill Darkfeed Logs diff --git a/packages/ti_cybersixgill/1.4.1/data_stream/threat/sample_event.json b/packages/ti_cybersixgill/1.4.1/data_stream/threat/sample_event.json new file mode 100755 index 0000000000..d20d8876f3 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/data_stream/threat/sample_event.json @@ -0,0 +1,77 @@ +{ + "@timestamp": "2021-12-07T13:58:01.596Z", + "agent": { + "ephemeral_id": "23a1b4ff-d3ba-4cc1-a31d-65adb7b305fb", + "id": "3f82d126-26ae-4993-a89b-63c5413149e0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "cybersixgill": { + "actor": "vaedzy", + "feedname": "dark_web_hashes", + "mitre": { + "description": "Mitre attack tactics and technique reference" + }, + "title": "[病毒样本] #Trickbot (2021-12-07)", + "virustotal": { + "pr": "medium", + "url": "https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d" + } + }, + "data_stream": { + "dataset": "ti_cybersixgill.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3f82d126-26ae-4993-a89b-63c5413149e0", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:36:43.266Z", + "dataset": "ti_cybersixgill.threat", + "ingested": "2022-04-11T08:36:43Z", + "kind": "enrichment", + "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", + "severity": 70, + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "ti_cybersixgill" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "Hash attributed to malware that was discovered in the dark and deep web", + "file": { + "hash": { + "md5": "4d0f21919d623bd1631ee15ca7429f28", + "sha1": "5ce39ef0700b64bd0c71b55caf64ae45d8400965", + "sha256": "7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d" + } + }, + "first_seen": "2021-12-07T02:55:17.000Z", + "last_seen": "2021-12-07T13:58:01.596Z", + "provider": "forum_kafan", + "reference": "https://portal.cybersixgill.com/#/search?q=_id:c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a", + "type": "file" + }, + "tactic": { + "id": "TA0024", + "name": "Build Capabilities", + "reference": "https://attack.mitre.org/tactics/TA0024/" + } + } +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/docs/README.md b/packages/ti_cybersixgill/1.4.1/docs/README.md new file mode 100755 index 0000000000..3894f0b48a --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/docs/README.md @@ -0,0 +1,179 @@ +# Cybersixgill Darkfeed TAXII Integration + +This integration connects with the commercial [Cybersixgill Darkfeed](https://www.cybersixgill.com/products/darkfeed/) TAXII server. + +## Logs + +### Threat + +The Cybersixgill Darkfeed integration collects threat intelligence from the Darkfeed TAXII service available using the credentials provided from Cybersixgill. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| cybersixgill.actor | The related actor for the indicator. | keyword | +| cybersixgill.feedname | Name of the Threat Intel feed. | keyword | +| cybersixgill.mitre.description | The mitre description of the indicator | keyword | +| cybersixgill.title | The title of the indicator. | keyword | +| cybersixgill.valid_from | At what date the indicator is valid from. | date | +| cybersixgill.virustotal.pr | The Virustotal positive rate. | keyword | +| cybersixgill.virustotal.url | The related Virustotal URL. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dataset.name | Dataset name. | constant_keyword | +| dataset.namespace | Dataset namespace. | constant_keyword | +| dataset.type | Dataset type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | + + +An example event for `threat` looks as following: + +```json +{ + "@timestamp": "2021-12-07T13:58:01.596Z", + "agent": { + "ephemeral_id": "23a1b4ff-d3ba-4cc1-a31d-65adb7b305fb", + "id": "3f82d126-26ae-4993-a89b-63c5413149e0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "cybersixgill": { + "actor": "vaedzy", + "feedname": "dark_web_hashes", + "mitre": { + "description": "Mitre attack tactics and technique reference" + }, + "title": "[病毒样本] #Trickbot (2021-12-07)", + "virustotal": { + "pr": "medium", + "url": "https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d" + } + }, + "data_stream": { + "dataset": "ti_cybersixgill.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3f82d126-26ae-4993-a89b-63c5413149e0", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:36:43.266Z", + "dataset": "ti_cybersixgill.threat", + "ingested": "2022-04-11T08:36:43Z", + "kind": "enrichment", + "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", + "severity": 70, + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "ti_cybersixgill" + ], + "threat": { + "indicator": { + "confidence": "High", + "description": "Hash attributed to malware that was discovered in the dark and deep web", + "file": { + "hash": { + "md5": "4d0f21919d623bd1631ee15ca7429f28", + "sha1": "5ce39ef0700b64bd0c71b55caf64ae45d8400965", + "sha256": "7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d" + } + }, + "first_seen": "2021-12-07T02:55:17.000Z", + "last_seen": "2021-12-07T13:58:01.596Z", + "provider": "forum_kafan", + "reference": "https://portal.cybersixgill.com/#/search?q=_id:c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a", + "type": "file" + }, + "tactic": { + "id": "TA0024", + "name": "Build Capabilities", + "reference": "https://attack.mitre.org/tactics/TA0024/" + } + } +} +``` \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/img/cybersixgill.svg b/packages/ti_cybersixgill/1.4.1/img/cybersixgill.svg new file mode 100755 index 0000000000..7ef7622b8e --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/img/cybersixgill.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json new file mode 100755 index 0000000000..f9c9134080 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the Cybersixgill integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cybersixgill.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cybersixgill.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \\n**[Cybersixgill Files (This Page)](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738)** \\n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \\n\\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\":{\"columnOrder\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\",\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\"],\"columns\":{\"27d0558e-428b-40a7-aea7-4195a095ff3f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.id\"},\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\"],\"layerId\":\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"c66ad183-f4f0-4605-b35d-85b7038403fd\",\"w\":14,\"x\":18,\"y\":0},\"panelIndex\":\"c66ad183-f4f0-4605-b35d-85b7038403fd\",\"title\":\"Mitre Tactics ID [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9722683d-8451-450c-b62c-8f28e7263f1b\":{\"columnOrder\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\",\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\"],\"columns\":{\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\"],\"layerId\":\"9722683d-8451-450c-b62c-8f28e7263f1b\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"fcc44298-dfb6-4bd4-a63d-e845ce3eb859\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"fcc44298-dfb6-4bd4-a63d-e845ce3eb859\",\"title\":\"Mitre Tactics Name [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":5,\"x\":7,\"y\":8},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":12,\"y\":8},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9646600b-883b-40d0-af92-d25f7fb3fcf6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9646600b-883b-40d0-af92-d25f7fb3fcf6\":{\"columnOrder\":[\"b21fdfe6-05b1-474f-9748-1923a4c16ebe\",\"36345449-d429-419f-a3e1-202546a186d4\"],\"columns\":{\"36345449-d429-419f-a3e1-202546a186d4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b21fdfe6-05b1-474f-9748-1923a4c16ebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Feed Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"36345449-d429-419f-a3e1-202546a186d4\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cybersixgill.feedname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b21fdfe6-05b1-474f-9748-1923a4c16ebe\",\"isTransposed\":false},{\"columnId\":\"36345449-d429-419f-a3e1-202546a186d4\",\"isTransposed\":false}],\"layerId\":\"9646600b-883b-40d0-af92-d25f7fb3fcf6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"0638c316-a573-412f-b3c4-f72dde07c6e8\",\"w\":11,\"x\":7,\"y\":16},\"panelIndex\":\"0638c316-a573-412f-b3c4-f72dde07c6e8\",\"title\":\"Top Feeds [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"forwarded|preserve_original_event|cybersixgill-threat\",\"field\":\"tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":19,\"i\":\"463b3747-56ee-425d-a2ac-a94a44b4995e\",\"w\":14,\"x\":18,\"y\":16},\"panelIndex\":\"463b3747-56ee-425d-a2ac-a94a44b4995e\",\"title\":\"File Tags [Logs Cybersixgill]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d9757b54-ffa7-45da-b31b-1387c4a2d26e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d9757b54-ffa7-45da-b31b-1387c4a2d26e\":{\"columnOrder\":[\"af192ae4-c012-49db-b768-85d876f2688e\",\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\"],\"columns\":{\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"af192ae4-c012-49db-b768-85d876f2688e\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.confidence\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.confidence\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"af192ae4-c012-49db-b768-85d876f2688e\"],\"layerId\":\"d9757b54-ffa7-45da-b31b-1387c4a2d26e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"256a7b33-485f-4715-90f3-768bea61d23e\",\"w\":16,\"x\":32,\"y\":16},\"panelIndex\":\"256a7b33-485f-4715-90f3-768bea61d23e\",\"title\":\"Confidence Levels [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs Cybersixgill] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c66ad183-f4f0-4605-b35d-85b7038403fd:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c66ad183-f4f0-4605-b35d-85b7038403fd:indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcc44298-dfb6-4bd4-a63d-e845ce3eb859:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcc44298-dfb6-4bd4-a63d-e845ce3eb859:indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0638c316-a573-412f-b3c4-f72dde07c6e8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0638c316-a573-412f-b3c4-f72dde07c6e8:indexpattern-datasource-layer-9646600b-883b-40d0-af92-d25f7fb3fcf6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "463b3747-56ee-425d-a2ac-a94a44b4995e:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "256a7b33-485f-4715-90f3-768bea61d23e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "256a7b33-485f-4715-90f3-768bea61d23e:indexpattern-datasource-layer-d9757b54-ffa7-45da-b31b-1387c4a2d26e", + "type": "index-pattern" + }, + { + "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", + "name": "tag-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json new file mode 100755 index 0000000000..bc0a0f12a2 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the Cybersixgill Darkfeed integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cybersixgill.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cybersixgill.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \\n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \\n**[Cybersixgill URLs (This Page)](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738)** \\n\\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":38,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":9,\"x\":7,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":9,\"x\":16,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\":{\"columnOrder\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\",\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\"],\"columns\":{\"27d0558e-428b-40a7-aea7-4195a095ff3f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.id\"},\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\"],\"layerId\":\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008\",\"w\":12,\"x\":25,\"y\":23},\"panelIndex\":\"08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008\",\"title\":\"Mitre Tactics ID [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9722683d-8451-450c-b62c-8f28e7263f1b\":{\"columnOrder\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\",\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\"],\"columns\":{\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\"],\"layerId\":\"9722683d-8451-450c-b62c-8f28e7263f1b\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a828d701-6a36-4401-8b35-419b4454c6fc\",\"w\":11,\"x\":37,\"y\":23},\"panelIndex\":\"a828d701-6a36-4401-8b35-419b4454c6fc\",\"title\":\"Mitre Tactics Name [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs Cybersixgill] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008:indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a828d701-6a36-4401-8b35-419b4454c6fc:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a828d701-6a36-4401-8b35-419b4454c6fc:indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b", + "type": "index-pattern" + }, + { + "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", + "name": "tag-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json new file mode 100755 index 0000000000..521af2b8a2 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the Cybersixgill Darkfeed integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cybersixgill.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cybersixgill.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[Cybersixgill Overview (This Page)](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738)** \\n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \\n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \\n\\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Cybersixgill Darkfeed integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Cybersixgill. \",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs Cybersixgill]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-720e8ef8-eec8-4aff-abe0-c14c0bab64db\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"720e8ef8-eec8-4aff-abe0-c14c0bab64db\":{\"columnOrder\":[\"62778b77-cc47-48e1-8648-02ffd9ed8b72\",\"8e35c18d-ceea-4462-b205-daf206f180cc\"],\"columns\":{\"62778b77-cc47-48e1-8648-02ffd9ed8b72\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8e35c18d-ceea-4462-b205-daf206f180cc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.name\"},\"8e35c18d-ceea-4462-b205-daf206f180cc\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"62778b77-cc47-48e1-8648-02ffd9ed8b72\"],\"layerId\":\"720e8ef8-eec8-4aff-abe0-c14c0bab64db\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8e35c18d-ceea-4462-b205-daf206f180cc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f3141aca-8e35-48a7-9ac8-cc43fa1a47c0\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f3141aca-8e35-48a7-9ac8-cc43fa1a47c0\",\"title\":\"Mitre Tactics [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs Cybersixgill] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f3141aca-8e35-48a7-9ac8-cc43fa1a47c0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f3141aca-8e35-48a7-9ac8-cc43fa1a47c0:indexpattern-datasource-layer-720e8ef8-eec8-4aff-abe0-c14c0bab64db", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", + "name": "tag-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.4.1/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json new file mode 100755 index 0000000000..ecc0f01b43 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "Cybersixgill" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/1.4.1/manifest.yml b/packages/ti_cybersixgill/1.4.1/manifest.yml new file mode 100755 index 0000000000..fc4fe16140 --- /dev/null +++ b/packages/ti_cybersixgill/1.4.1/manifest.yml @@ -0,0 +1,26 @@ +name: ti_cybersixgill +title: Cybersixgill +version: 1.4.1 +release: ga +description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security", "productivity"] +conditions: + kibana.version: ^8.0.0 +policy_templates: + - name: cybersixgill + title: Cybersixgill Threat Intel + description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. + inputs: + - type: httpjson + title: "Ingest threat intelligence indicators from Cybersixgill Darkfeed with Elastic Agent." + description: "Ingest threat intelligence indicators from Cybersixgill Darkfeed with Elastic Agent." +owner: + github: elastic/security-external-integrations +icons: + - src: /img/cybersixgill.svg + title: Cybersixgill + size: 32x32 + type: image/svg+xml diff --git a/packages/ti_misp/1.3.1/changelog.yml b/packages/ti_misp/1.3.1/changelog.yml new file mode 100755 index 0000000000..7c174a8929 --- /dev/null +++ b/packages/ti_misp/1.3.1/changelog.yml @@ -0,0 +1,46 @@ +# newer versions go on top +- version: "1.3.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.2.2" + changes: + - description: Add mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2448 +- version: "1.1.0" + changes: + - description: Adds dashboards and threat.feed ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2485 +- version: "1.0.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.0.1" + changes: + - description: Bump minimum version + type: enhancement + link: https://github.com/elastic/integrations/pull/2063 +- version: "1.0.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1946 diff --git a/packages/ti_misp/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..e7813459bb --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -0,0 +1,75 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" + +{{#if url}} +request.url: {{url}}/events/restSearch +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +request.body: +{{#if filters}} + {{filters}} +{{/if}} +request.transforms: +{{#if api_token}} +- set: + target: header.Authorization + value: {{api_token}} +{{/if}} +- set: + target: body.page + value: 1 +- set: + target: body.limit + value: 10 +- set: + target: body.returnFormat + value: json +- set: + target: body.timestamp + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "UnixDate" ]]' + +response.split: + target: body.response + split: + target: body.Event.Attribute + ignore_empty_value: true + keep_parent: true + split: + target: body.Event.Object + keep_parent: true + split: + target: body.Event.Object.Attribute + keep_parent: true +response.request_body_on_pagination: true +response.pagination: +- set: + target: body.page + value: '[[add .last_response.page 1]]' + fail_on_template_error: true +cursor: + timestamp: + value: '[[.last_event.Event.timestamp]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_misp/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..ce9f44b3b4 --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,385 @@ +--- +description: Pipeline for parsing MISP Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.Event.Attribute.uuid + - json.Event.Object.Attribute.uuid + target_field: "_id" + ignore_missing: true + - rename: + field: json.Event + target_field: misp + ignore_missing: true + - set: + field: threat.indicator.provider + value: misp + if: ctx.misp?.Orgc?.local != 'false' + - set: + field: threat.indicator.provider + value: "{{misp.Orgc.name}}" + if: ctx.misp?.Orgc?.local == 'false' + ignore_empty_value: true + + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - misp.ShadowAttribute + - misp.RelatedEvent + - misp.Galaxy + - misp.Attribute.Galaxy + - misp.Attribute.ShadowAttribute + - misp.EventReport + - misp.Object.Attribute.Galaxy + - misp.Object.Attribute.ShadowAttribute + ignore_missing: true + - remove: + field: + - misp.Attribute + ignore_missing: true + if: ctx.misp?.Attribute.size() == 0 + - remove: + field: + - misp.Object + ignore_missing: true + if: ctx.misp?.Object.size() == 0 + - date: + field: misp.timestamp + formats: + - UNIX + ignore_failure: true + - rename: + field: misp.Attribute + target_field: misp.attribute + ignore_missing: true + - rename: + field: misp.Object + target_field: misp.object + ignore_missing: true + - rename: + field: misp.object.Attribute + target_field: misp.object.attribute + ignore_missing: true + - rename: + field: misp.Orgc + target_field: misp.orgc + ignore_missing: true + - rename: + field: misp.Org + target_field: misp.org + ignore_missing: true + - rename: + field: misp.Tag + target_field: misp.tag + ignore_missing: true + + # # Dance around issue of not being able to split the document into two. + # # Make the Object.Attribute field primary if it exists, but keep the + # # outer Attribute as context. + - rename: + field: misp.attribute + target_field: misp.context.attribute + ignore_missing: true + if: ctx.misp?.object != null + - rename: + field: misp.object.attribute + target_field: misp.attribute + ignore_missing: true + if: ctx.misp?.object != null + + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threat.feed.name + value: "MISP" + - rename: + field: misp.attribute.first_seen + target_field: threat.indicator.first_seen + ignore_missing: true + - rename: + field: misp.attribute.last_seen + target_field: threat.indicator.last_seen + ignore_missing: true + - convert: + field: misp.analysis + type: long + target_field: threat.indicator.scanner_stats + ignore_missing: true + - convert: + field: misp.threat_level_id + type: long + ignore_missing: true + + ## File/Hash indicator operations + - set: + field: threat.indicator.type + value: file + if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" + - rename: + field: misp.attribute.value + target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.file.name + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" + - grok: + field: misp.attribute.type + patterns: + - "%{WORD}\\|%{WORD:_tmp.hashtype}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') + - set: + field: threat.indicator.file.hash.{{_tmp.hashtype}} + value: "{{_tmp.hashvalue}}" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + + ## URL/URI indicator operations + - set: + field: threat.indicator.type + value: url + if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" + - uri_parts: + field: misp.attribute.value + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' + - set: + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" + + ## Regkey indicator operations + - set: + field: threat.indicator.type + value: windows-registry-key + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.registry.key + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" + ignore_missing: true + if: "ctx.misp?.attribute?.type == 'regkey|value'" + + ## AS indicator operations + - set: + field: threat.indicator.type + value: autonomous-system + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" + - convert: + field: misp.attribute.value + type: long + target_field: threat.indicator.as.number + ignore_missing: true + if: ctx.threat?.indicator?.type == 'autonomous-system' + + ## Domain/IP/Port indicator operations + - set: + field: threat.indicator.type + value: domain-name + if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" + - set: + field: threat.indicator.type + value: ipv4-addr + if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.url.domain + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" + - rename: + field: misp.attribute.value + target_field: threat.indicator.ip + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" + ignore_missing: true + if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null + - grok: + field: misp.attribute.value + patterns: + - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" + ignore_missing: true + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + + ## Email indicator operations + # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. + - set: + field: threat.indicator.type + value: email-addr + if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" + - set: + field: threat.indicator.type + value: email-message + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.email.address + ignore_missing: true + if: ctx.threat?.indicator?.type == 'email-addr' + - rename: + field: misp.event_creator_email + target_field: user.email + ignore_missing: true + - append: + field: user.roles + value: "reporting_user" + if: ctx?.user?.email != null + + ## MAC Address indicator operations + - set: + field: threat.indicator.type + value: mac-addr + if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.mac + ignore_missing: true + if: ctx.threat?.indicator?.type == 'mac-addr' + + ################### + # Tags ECS fields # + ################### + # Stripping special characters from tags + - script: + lang: painless + if: ctx.misp?.tag != null + source: | + def tags = ctx.misp.tag.stream() + .map(t -> t.name.replace('\\', '').replace('"', '')) + .collect(Collectors.toList()); + def tlpTags = tags.stream() + .filter(t -> t.startsWith('tlp:')) + .map(t -> t.replace('tlp:', '')) + .collect(Collectors.toList()); + + ctx.tags = tags; + ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; + + # Setting indicator type to unknown if it does not match anything + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + + ################# + # Convert types # + ################# + - convert: + field: misp.attribute.distribution + type: long + ignore_missing: true + - convert: + field: misp.context.attribute.distribution + type: long + ignore_missing: true + - convert: + field: threat.indicator.port + type: long + ignore_missing: true + - convert: + field: misp.attribute_count + type: long + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.misp != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - misp.attribute.value + ignore_missing: true + if: ctx.threat?.indicator?.type != 'unknown' + - remove: + field: + # This removes a number of fields that may be wanted in the future when + # misp.attribute and misp.object.attribute can + # be separated. At the root of .object are fields that mirror fields at + # the root of misp. + - misp.object + ignore_missing: true + - remove: + field: + - misp.Attribute.timestamp + - misp.timestamp + - misp.tag + - misp.org + - misp.analysis + - _tmp + - json + ignore_missing: true + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_misp/1.3.1/data_stream/threat/fields/agent.yml b/packages/ti_misp/1.3.1/data_stream/threat/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_misp/1.3.1/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/1.3.1/data_stream/threat/fields/base-fields.yml new file mode 100755 index 0000000000..ad1000cb9b --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_misp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_misp.threat +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: MISP +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_misp/1.3.1/data_stream/threat/fields/beats.yml b/packages/ti_misp/1.3.1/data_stream/threat/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_misp/1.3.1/data_stream/threat/fields/ecs.yml b/packages/ti_misp/1.3.1/data_stream/threat/fields/ecs.yml new file mode 100755 index 0000000000..e6dcb70141 --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/fields/ecs.yml @@ -0,0 +1,188 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Array of user roles at the time of the event. + name: user.roles + type: keyword +- name: threat.feed.name + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: Count of AV/EDR vendors that successfully detected malicious file or URL. + name: threat.indicator.scanner_stats + type: long +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: Port of the request, such as 443. + name: threat.indicator.url.port + type: long +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: threat.indicator.url.query + type: keyword +- description: Identifies a threat indicator as an email address (irrespective of direction). + name: threat.indicator.email.address + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: threat.indicator.as.number + type: long +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: |- + Traffic Light Protocol sharing markings. + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + name: threat.indicator.marking.tlp + type: keyword +- description: Identifies a threat indicator as a port number (irrespective of direction). + name: threat.indicator.port + type: long +- description: Hive-relative path of keys. + name: threat.indicator.registry.key + type: keyword +- description: Name of the value written. + name: threat.indicator.registry.value + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: threat.indicator.file.size + type: long +- description: File type (file, dir, or symlink). + name: threat.indicator.file.type + type: keyword +- description: Name of the file including the extension, without the directory. + name: threat.indicator.file.name + type: keyword diff --git a/packages/ti_misp/1.3.1/data_stream/threat/fields/fields.yml b/packages/ti_misp/1.3.1/data_stream/threat/fields/fields.yml new file mode 100755 index 0000000000..133826511b --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/fields/fields.yml @@ -0,0 +1,291 @@ +- name: misp + type: group + description: > + Fields for MISP indicators + + fields: + - name: id + type: keyword + description: > + Attribute ID. + + - name: orgc_id + type: keyword + description: > + Organization Community ID of the event. + + - name: org_id + type: keyword + description: > + Organization ID of the event. + + - name: threat_level_id + type: long + description: > + Threat level from 5 to 1, where 1 is the most critical. + + - name: info + type: keyword + description: > + Additional text or information related to the event. + + - name: published + type: boolean + description: > + When the event was published. + + - name: uuid + type: keyword + description: > + The UUID of the event object. + + - name: date + type: date + description: > + The date of when the event object was created. + + - name: attribute_count + type: long + description: > + How many attributes are included in a single event object. + + - name: timestamp + type: date + description: > + The timestamp of when the event object was created. + + - name: distribution + type: keyword + description: > + Distribution type related to MISP. + + - name: proposal_email_lock + type: boolean + description: > + Settings configured on MISP for email lock on this event object. + + - name: locked + type: boolean + description: > + If the current MISP event object is locked or not. + + - name: publish_timestamp + type: date + description: > + At what time the event object was published + + - name: sharing_group_id + type: keyword + description: > + The ID of the grouped events or sources of the event. + + - name: disable_correlation + type: boolean + description: > + If correlation is disabled on the MISP event object. + + - name: extends_uuid + type: keyword + description: > + The UUID of the event object it might extend. + + - name: org.id + type: keyword + description: > + The organization ID related to the event object. + + - name: org.name + type: keyword + description: > + The organization name related to the event object. + + - name: org.uuid + type: keyword + description: > + The UUID of the organization related to the event object. + + - name: org.local + type: boolean + description: > + If the event object is local or from a remote source. + + - name: orgc.id + type: keyword + description: > + The Organization Community ID in which the event object was reported from. + + - name: orgc.name + type: keyword + description: > + The Organization Community name in which the event object was reported from. + + - name: orgc.uuid + type: keyword + description: > + The Organization Community UUID in which the event object was reported from. + + - name: orgc.local + type: boolean + description: > + If the Organization Community was local or synced from a remote source. + + - name: attribute.id + type: keyword + description: > + The ID of the attribute related to the event object. + + - name: attribute.type + type: keyword + description: > + The type of the attribute related to the event object. For example email, ipv4, sha1 and such. + + - name: attribute.category + type: keyword + description: > + The category of the attribute related to the event object. For example "Network Activity". + + - name: attribute.to_ids + type: boolean + description: > + If the attribute should be automatically synced with an IDS. + + - name: attribute.uuid + type: keyword + description: > + The UUID of the attribute related to the event. + + - name: attribute.event_id + type: keyword + description: > + The local event ID of the attribute related to the event. + + - name: attribute.distribution + type: long + description: > + How the attribute has been distributed, represented by integer numbers. + + - name: attribute.timestamp + type: date + description: > + The timestamp in which the attribute was attached to the event object. + + - name: attribute.comment + type: keyword + description: > + Comments made to the attribute itself. + + - name: attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific attribute. + + - name: attribute.deleted + type: boolean + description: > + If the attribute has been removed from the event object. + + - name: attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the attribute related to the event object. + + - name: attribute.object_id + type: keyword + description: > + The ID of the Object in which the attribute is attached. + + - name: attribute.object_relation + type: keyword + description: > + The type of relation the attribute has with the event object itself. + + - name: attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". + + - name: context.attribute.id + type: keyword + description: > + The ID of the secondary attribute related to the event object. + + - name: context.attribute.type + type: keyword + description: > + The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. + + - name: context.attribute.category + type: keyword + description: > + The category of the secondary attribute related to the event object. For example "Network Activity". + + - name: context.attribute.to_ids + type: boolean + description: > + If the secondary attribute should be automatically synced with an IDS. + + - name: context.attribute.uuid + type: keyword + description: > + The UUID of the secondary attribute related to the event. + + - name: context.attribute.event_id + type: keyword + description: > + The local event ID of the secondary attribute related to the event. + + - name: context.attribute.distribution + type: long + description: > + How the secondary attribute has been distributed, represented by integer numbers. + + - name: context.attribute.timestamp + type: date + description: > + The timestamp in which the secondary attribute was attached to the event object. + + - name: context.attribute.comment + type: keyword + description: > + Comments made to the secondary attribute itself. + + - name: context.attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific secondary attribute. + + - name: context.attribute.deleted + type: boolean + description: > + If the secondary attribute has been removed from the event object. + + - name: context.attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the secondary attribute related to the event object. + + - name: context.attribute.object_id + type: keyword + description: > + The ID of the Object in which the secondary attribute is attached. + + - name: context.attribute.object_relation + type: keyword + description: > + The type of relation the secondary attribute has with the event object itself. + + - name: context.attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". + + - name: context.attribute.first_seen + type: keyword + description: > + The first time the indicator was seen. + + - name: context.attribute.last_seen + type: keyword + description: > + The last time the indicator was seen. + diff --git a/packages/ti_misp/1.3.1/data_stream/threat/manifest.yml b/packages/ti_misp/1.3.1/data_stream/threat/manifest.yml new file mode 100755 index 0000000000..353de39766 --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/manifest.yml @@ -0,0 +1,101 @@ +type: logs +title: MISP +streams: + - input: httpjson + vars: + - name: url + type: text + title: MISP URL + multi: false + required: true + show_user: true + default: https://mispserver.com + description: The URL or hostname of the MISP instance. + - name: api_token + type: password + title: MISP API Token + multi: false + required: true + show_user: true + description: The API token used to access the MISP instance. + - name: initial_interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 120h + description: How far back to look for indicators the first time the agent is started. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: filters + type: yaml + title: MISP API Filters + multi: false + required: false + show_user: false + default: | + #type: + # OR: + # - ip-src + # - ip-dst + #tags: + # NOT: + # - tlp-red + description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + default: | + #verification_mode: none + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - misp-threat + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: MISP + description: Collect indicators from the MISP API diff --git a/packages/ti_misp/1.3.1/data_stream/threat/sample_event.json b/packages/ti_misp/1.3.1/data_stream/threat/sample_event.json new file mode 100755 index 0000000000..2f0271242c --- /dev/null +++ b/packages/ti_misp/1.3.1/data_stream/threat/sample_event.json @@ -0,0 +1,97 @@ +{ + "@timestamp": "2014-10-06T07:12:57.000Z", + "agent": { + "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_misp.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:58:54.124Z", + "dataset": "ti_misp.threat", + "ingested": "2022-04-11T08:58:55Z", + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12394", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "1462454963", + "to_ids": false, + "type": "domain", + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + }, + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": "3", + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + }, + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "1610622316", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "green" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "whatsapp.com" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_misp/1.3.1/docs/README.md b/packages/ti_misp/1.3.1/docs/README.md new file mode 100755 index 0000000000..79790f5d0e --- /dev/null +++ b/packages/ti_misp/1.3.1/docs/README.md @@ -0,0 +1,259 @@ +# MISP Integration + +The MISP integration uses the REST API from the running MISP instance to retrieve indicators and Threat Intelligence. + +## Logs + +### Threat + +The MISP integration configuration allows to set the polling interval, how far back it +should look initially, and optionally any filters used to filter the results. + +The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword | +| misp.attribute.comment | Comments made to the attribute itself. | keyword | +| misp.attribute.deleted | If the attribute has been removed from the event object. | boolean | +| misp.attribute.disable_correlation | If correlation has been enabled on the attribute related to the event object. | boolean | +| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long | +| misp.attribute.event_id | The local event ID of the attribute related to the event. | keyword | +| misp.attribute.id | The ID of the attribute related to the event object. | keyword | +| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword | +| misp.attribute.object_relation | The type of relation the attribute has with the event object itself. | keyword | +| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword | +| misp.attribute.timestamp | The timestamp in which the attribute was attached to the event object. | date | +| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean | +| misp.attribute.type | The type of the attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | +| misp.attribute.uuid | The UUID of the attribute related to the event. | keyword | +| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | +| misp.attribute_count | How many attributes are included in a single event object. | long | +| misp.context.attribute.category | The category of the secondary attribute related to the event object. For example "Network Activity". | keyword | +| misp.context.attribute.comment | Comments made to the secondary attribute itself. | keyword | +| misp.context.attribute.deleted | If the secondary attribute has been removed from the event object. | boolean | +| misp.context.attribute.disable_correlation | If correlation has been enabled on the secondary attribute related to the event object. | boolean | +| misp.context.attribute.distribution | How the secondary attribute has been distributed, represented by integer numbers. | long | +| misp.context.attribute.event_id | The local event ID of the secondary attribute related to the event. | keyword | +| misp.context.attribute.first_seen | The first time the indicator was seen. | keyword | +| misp.context.attribute.id | The ID of the secondary attribute related to the event object. | keyword | +| misp.context.attribute.last_seen | The last time the indicator was seen. | keyword | +| misp.context.attribute.object_id | The ID of the Object in which the secondary attribute is attached. | keyword | +| misp.context.attribute.object_relation | The type of relation the secondary attribute has with the event object itself. | keyword | +| misp.context.attribute.sharing_group_id | The group ID of the sharing group related to the specific secondary attribute. | keyword | +| misp.context.attribute.timestamp | The timestamp in which the secondary attribute was attached to the event object. | date | +| misp.context.attribute.to_ids | If the secondary attribute should be automatically synced with an IDS. | boolean | +| misp.context.attribute.type | The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | +| misp.context.attribute.uuid | The UUID of the secondary attribute related to the event. | keyword | +| misp.context.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | +| misp.date | The date of when the event object was created. | date | +| misp.disable_correlation | If correlation is disabled on the MISP event object. | boolean | +| misp.distribution | Distribution type related to MISP. | keyword | +| misp.extends_uuid | The UUID of the event object it might extend. | keyword | +| misp.id | Attribute ID. | keyword | +| misp.info | Additional text or information related to the event. | keyword | +| misp.locked | If the current MISP event object is locked or not. | boolean | +| misp.org.id | The organization ID related to the event object. | keyword | +| misp.org.local | If the event object is local or from a remote source. | boolean | +| misp.org.name | The organization name related to the event object. | keyword | +| misp.org.uuid | The UUID of the organization related to the event object. | keyword | +| misp.org_id | Organization ID of the event. | keyword | +| misp.orgc.id | The Organization Community ID in which the event object was reported from. | keyword | +| misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean | +| misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword | +| misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword | +| misp.orgc_id | Organization Community ID of the event. | keyword | +| misp.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean | +| misp.publish_timestamp | At what time the event object was published | date | +| misp.published | When the event was published. | boolean | +| misp.sharing_group_id | The ID of the grouped events or sources of the event. | keyword | +| misp.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long | +| misp.timestamp | The timestamp of when the event object was created. | date | +| misp.uuid | The UUID of the event object. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | | keyword | +| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.registry.key | Hive-relative path of keys. | keyword | +| threat.indicator.registry.value | Name of the value written. | keyword | +| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.email | User email address. | keyword | +| user.roles | Array of user roles at the time of the event. | keyword | + + +An example event for `threat` looks as following: + +```json +{ + "@timestamp": "2014-10-06T07:12:57.000Z", + "agent": { + "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_misp.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:58:54.124Z", + "dataset": "ti_misp.threat", + "ingested": "2022-04-11T08:58:55Z", + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12394", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "1462454963", + "to_ids": false, + "type": "domain", + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + }, + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": "3", + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + }, + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "1610622316", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "green" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "whatsapp.com" + } + } + } +} +``` \ No newline at end of file diff --git a/packages/ti_misp/1.3.1/img/misp.svg b/packages/ti_misp/1.3.1/img/misp.svg new file mode 100755 index 0000000000..076530aa25 --- /dev/null +++ b/packages/ti_misp/1.3.1/img/misp.svg @@ -0,0 +1,158 @@ + + + + diff --git a/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json new file mode 100755 index 0000000000..bd8d5dbf01 --- /dev/null +++ b/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs MISP] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json new file mode 100755 index 0000000000..a9987e5bf9 --- /dev/null +++ b/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs MISP] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json new file mode 100755 index 0000000000..e60f8f871b --- /dev/null +++ b/packages/ti_misp/1.3.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"ti_misp.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the MISP integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \\n\\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":36,\"i\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1641204819355\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1641204843291\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"w\":26,\"x\":7,\"y\":0},\"panelIndex\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"title\":\"Indicator Selector [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d87f35ee-570a-488b-b618-6ada39b49df4\":{\"columnOrder\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\",\"d0f21543-9576-400e-aeca-babc5407d3a7\"],\"columns\":{\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"d0f21543-9576-400e-aeca-babc5407d3a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\"],\"layerId\":\"d87f35ee-570a-488b-b618-6ada39b49df4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":22,\"i\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"title\":\"Total Indicators per type [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0491a750-3050-47a9-bb99-c45984d3d28c\":{\"columnOrder\":[\"fb93835d-e6a1-49b4-8911-ae15b081da8a\"],\"columns\":{\"fb93835d-e6a1-49b4-8911-ae15b081da8a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fb93835d-e6a1-49b4-8911-ae15b081da8a\",\"layerId\":\"0491a750-3050-47a9-bb99-c45984d3d28c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"title\":\"Total Indicators [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\":{\"columnOrder\":[\"16691165-3643-4658-bfc8-4bba834f2789\",\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"columns\":{\"16691165-3643-4658-bfc8-4bba834f2789\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3e085a0a-8386-4f64-a629-44ae27b18878\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"},\"3e085a0a-8386-4f64-a629-44ae27b18878\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"layerId\":\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"16691165-3643-4658-bfc8-4bba834f2789\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":true,\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"w\":20,\"x\":13,\"y\":8},\"panelIndex\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"title\":\"Total Indicators per Provider [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"w\":41,\"x\":7,\"y\":22},\"panelIndex\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"title\":\"Indicators ingested [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs MISP] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_misp/1.3.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.3.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json new file mode 100755 index 0000000000..b202c82473 --- /dev/null +++ b/packages/ti_misp/1.3.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "MISP" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/ti_misp/1.3.1/manifest.yml b/packages/ti_misp/1.3.1/manifest.yml new file mode 100755 index 0000000000..f77e430d6f --- /dev/null +++ b/packages/ti_misp/1.3.1/manifest.yml @@ -0,0 +1,26 @@ +name: ti_misp +title: MISP +version: 1.3.1 +release: ga +description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/misp.svg + title: MISP + size: 216x216 + type: image/svg+xml +policy_templates: + - name: ti_misp + title: MISP + description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. + inputs: + - type: httpjson + title: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." + description: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." +owner: + github: elastic/security-external-integrations diff --git a/packages/ti_otx/1.3.1/changelog.yml b/packages/ti_otx/1.3.1/changelog.yml new file mode 100755 index 0000000000..c4be13a47e --- /dev/null +++ b/packages/ti_otx/1.3.1/changelog.yml @@ -0,0 +1,51 @@ +# newer versions go on top +- version: "1.3.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.2.2" + changes: + - description: Add field mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2449 +- version: "1.1.0" + changes: + - description: Adding threat.feed fields and dashboards + type: enhancement + link: https://github.com/elastic/integrations/pull/2540 +- version: "1.0.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.0.2" + changes: + - description: Bump minimum version + type: enhancement + link: https://github.com/elastic/integrations/pull/2063 +- version: "1.0.1" + changes: + - description: Update title and description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 +- version: "1.0.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1873 diff --git a/packages/ti_otx/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_otx/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..cc8d4550c6 --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -0,0 +1,60 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json +{{#if api_token }} +- set: + target: header.X-OTX-API-KEY + value: {{ api_token }} +{{/if}} +{{#if types}} +- set: + target: url.params.types + value: {{ types }} +{{/if}} +- set: + target: url.params.modified_since + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "RFC3339" ]]' + +response.split: + target: body.results + +response.pagination: +- set: + target: url.value + value: '[[ .last_response.body.next ]]' +cursor: + timestamp: + value: '[[ formatDate (now (parseDuration "-{{ lookback_range }}")) "RFC3339" ]]' + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/ti_otx/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_otx/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..8ce807b239 --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,169 @@ +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: otx + - fingerprint: + fields: + - otx.id + target_field: "_id" + + ##################### + # Threat ECS Fields # + ##################### + ## File indicator operations + - set: + field: threat.indicator.type + value: file + if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'" + - rename: + field: otx.indicator + target_field: threat.indicator.file.hash.md5 + ignore_missing: true + if: "ctx.otx?.type == 'FileHash-MD5'" + - rename: + field: otx.indicator + target_field: threat.indicator.file.hash.sha1 + ignore_missing: true + if: "ctx.otx?.type == 'FileHash-SHA1'" + - rename: + field: otx.indicator + target_field: threat.indicator.file.hash.sha256 + ignore_missing: true + if: "ctx.otx?.type == 'FileHash-SHA256'" + - rename: + field: otx.indicator + target_field: threat.indicator.file.hash.pehash + ignore_missing: true + if: "ctx.otx?.type == 'FileHash-PEHASH'" + - rename: + field: otx.indicator + target_field: threat.indicator.file.hash.imphash + ignore_missing: true + if: "ctx.otx?.type == 'FileHash-IMPHASH'" + + ## IP indicator operations + - set: + field: threat.indicator.type + value: ipv4-addr + if: ctx.otx?.type == 'IPv4' + - set: + field: threat.indicator.type + value: ipv6-addr + if: ctx.otx?.type == 'IPv6' + - rename: + field: otx.indicator + target_field: threat.indicator.ip + ignore_missing: true + if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" + + ## URL indicator operations + - set: + field: threat.indicator.type + value: url + if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)" + - uri_parts: + field: otx.indicator + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.threat?.indicator?.type == 'url' + - set: + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx.otx?.type == 'URL'" + + ## Email indicator operations + - set: + field: threat.indicator.type + value: email-addr + if: ctx.otx?.type == 'email' + - rename: + field: otx.indicator + target_field: threat.indicator.email.address + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'email-addr'" + + ## Domain indicator operations + - set: + field: threat.indicator.type + value: domain-name + if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)" + - rename: + field: otx.indicator + target_field: threat.indicator.url.domain + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + - script: + lang: painless + if: ctx.otx != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: + - otx.content + ignore_missing: true + if: ctx.otx?.content == "" + - remove: + field: + - otx.type + - otx.id + - message + ignore_missing: true + if: ctx.threat?.indicator?.type != null +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_otx/1.3.1/data_stream/threat/fields/agent.yml b/packages/ti_otx/1.3.1/data_stream/threat/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_otx/1.3.1/data_stream/threat/fields/base-fields.yml b/packages/ti_otx/1.3.1/data_stream/threat/fields/base-fields.yml new file mode 100755 index 0000000000..5b27b27cf8 --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_otx +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: Alienvault OTX +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_otx.threat +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_otx/1.3.1/data_stream/threat/fields/beats.yml b/packages/ti_otx/1.3.1/data_stream/threat/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_otx/1.3.1/data_stream/threat/fields/ecs.yml b/packages/ti_otx/1.3.1/data_stream/threat/fields/ecs.yml new file mode 100755 index 0000000000..b1e87e820e --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/fields/ecs.yml @@ -0,0 +1,153 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: Identifies a threat indicator as an email address (irrespective of direction). + name: threat.indicator.email.address + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: Port of the request, such as 443. + name: threat.indicator.url.port + type: long +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: threat.indicator.url.query + type: keyword +- description: File type (file, dir, or symlink). + name: threat.indicator.file.type + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: threat.indicator.file.pe.imphash + type: keyword +- description: The file's pehash, if available. + name: threat.indicator.file.hash.pehash + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword diff --git a/packages/ti_otx/1.3.1/data_stream/threat/fields/fields.yml b/packages/ti_otx/1.3.1/data_stream/threat/fields/fields.yml new file mode 100755 index 0000000000..ee3a603aad --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/fields/fields.yml @@ -0,0 +1,36 @@ +- name: otx + type: group + description: > + Fields for OTX Threat Intel + + fields: + - name: id + type: keyword + description: > + The ID of the indicator. + + - name: indicator + type: keyword + description: > + The value of the indicator, for example if the type is domain, this would be the value. + + - name: description + type: keyword + description: > + A description of the indicator. + + - name: title + type: keyword + description: > + Title describing the indicator. + + - name: content + type: keyword + description: > + Extra text or descriptive content related to the indicator. + + - name: type + type: keyword + description: > + The indicator type, can for example be "domain, email, FileHash-SHA256". + diff --git a/packages/ti_otx/1.3.1/data_stream/threat/manifest.yml b/packages/ti_otx/1.3.1/data_stream/threat/manifest.yml new file mode 100755 index 0000000000..4bfd942d44 --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/manifest.yml @@ -0,0 +1,98 @@ +type: logs +title: Alienvault OTX logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: Alienvault OTX API endpoint + multi: false + required: true + show_user: false + default: https://otx.alienvault.com/api/v1/indicators/export + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 5m + - name: api_token + type: text + title: API Token + multi: false + required: true + show_user: true + description: The Alienvault OTX API token + - name: first_interval + type: text + title: First Interval + multi: false + required: true + show_user: false + description: Configures how far back in time the agent should retrieve data from the API in hours. + default: 400h + - name: lookback_range + type: text + title: Lookback Range + multi: false + required: true + show_user: false + description: How many hours to look back for each request, should not be smaller than the interval (default 5m). + default: 1h + - name: types + type: text + title: Filter on indicator types + multi: false + required: false + show_user: false + description: "A comma separated list of indicator types to retrieve, example: 'domain,IPv4,hostname,url,FileHash-SHA256'" + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - otx-threat + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Alienvault OTX logs + description: Collect Alienvault OTX logs diff --git a/packages/ti_otx/1.3.1/data_stream/threat/sample_event.json b/packages/ti_otx/1.3.1/data_stream/threat/sample_event.json new file mode 100755 index 0000000000..131bc083ed --- /dev/null +++ b/packages/ti_otx/1.3.1/data_stream/threat/sample_event.json @@ -0,0 +1,50 @@ +{ + "@timestamp": "2022-04-11T09:14:18.594Z", + "agent": { + "ephemeral_id": "26518763-fc35-4393-a414-ab320e780eee", + "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_otx.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T09:14:18.594Z", + "dataset": "ti_otx.threat", + "ingested": "2022-04-11T09:14:19Z", + "kind": "enrichment", + "original": "{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "otx": {}, + "tags": [ + "preserve_original_event", + "forwarded", + "otx-threat" + ], + "threat": { + "indicator": { + "type": "domain-name", + "url": { + "domain": "info.3000uc.com" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_otx/1.3.1/docs/README.md b/packages/ti_otx/1.3.1/docs/README.md new file mode 100755 index 0000000000..a6bdcca6e7 --- /dev/null +++ b/packages/ti_otx/1.3.1/docs/README.md @@ -0,0 +1,153 @@ +# Alienvault OTX Integration + +This integration is for Alienvault OTX. It retrieves indicators for all pulses subscribed to a specific user account on OTX + +## Configuration + +To use this package, it is required to have an account on [Alienvault OTX](https://otx.alienvault.com/). Once an account has been created, and at least 1 pulse has been subscribed to, the API key can be retrieved from your [user profile dashboard](https://otx.alienvault.com/api). In the top right corner there should be an OTX KEY. + +## Logs + +### Threat + +Retrieves all the related indicators over time, related to your pulse subscriptions on OTX. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| otx.content | Extra text or descriptive content related to the indicator. | keyword | +| otx.description | A description of the indicator. | keyword | +| otx.id | The ID of the indicator. | keyword | +| otx.indicator | The value of the indicator, for example if the type is domain, this would be the value. | keyword | +| otx.title | Title describing the indicator. | keyword | +| otx.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.pehash | The file's pehash, if available. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | + + +An example event for `threat` looks as following: + +```json +{ + "@timestamp": "2022-04-11T09:14:18.594Z", + "agent": { + "ephemeral_id": "26518763-fc35-4393-a414-ab320e780eee", + "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_otx.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T09:14:18.594Z", + "dataset": "ti_otx.threat", + "ingested": "2022-04-11T09:14:19Z", + "kind": "enrichment", + "original": "{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "otx": {}, + "tags": [ + "preserve_original_event", + "forwarded", + "otx-threat" + ], + "threat": { + "indicator": { + "type": "domain-name", + "url": { + "domain": "info.3000uc.com" + } + } + } +} +``` diff --git a/packages/ti_otx/1.3.1/img/otx.svg b/packages/ti_otx/1.3.1/img/otx.svg new file mode 100755 index 0000000000..ac96edd1d8 --- /dev/null +++ b/packages/ti_otx/1.3.1/img/otx.svg @@ -0,0 +1 @@ +AV-Corporate-Logo \ No newline at end of file diff --git a/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json new file mode 100755 index 0000000000..57b0284421 --- /dev/null +++ b/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the Alienvault OTX integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[OTX Overview (This Page)](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b)** \\n[OTX Files](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b) \\n[OTX URLs](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b) \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Alienvault OTX integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Alienvault OTX. \\n\\nThe ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from Alienvault OTX.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":31,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":29,\"x\":7,\"y\":7},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"title\":\"Total Indicators per Datastream [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":23},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":13,\"y\":23},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs OTX] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", + "type": "index-pattern" + }, + { + "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", + "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json new file mode 100755 index 0000000000..07df8ecd9e --- /dev/null +++ b/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the Alienvault OTX integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[OTX Overview](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b) \\n**[OTX Files (This Page)](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b)** \\n[OTX URLs](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b) \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":22,\"y\":0},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":13,\"y\":8},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"b8c9d8e0-3bb8-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"118b51de-bd55-4ed6-b916-c939ad73b2c3\":{\"columnOrder\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\",\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\"],\"columns\":{\"1ada77b6-5741-44ff-a00d-4653fca22f84\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top Countries\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Countries\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\"],\"layerId\":\"118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Top Countries [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"w\":20,\"x\":7,\"y\":16},\"panelIndex\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"title\":\"Top Countries [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":27,\"y\":16},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs OTX] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + }, + { + "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", + "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json new file mode 100755 index 0000000000..d6094d2b40 --- /dev/null +++ b/packages/ti_otx/1.3.1/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the Alienvault OTX integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[OTX Overview](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b) \\n[OTX Files](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b) \\n**[OTX URLs (This Page)](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b)** \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs OTX] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", + "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_otx/1.3.1/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.1/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json new file mode 100755 index 0000000000..31f9238c67 --- /dev/null +++ b/packages/ti_otx/1.3.1/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "OTX" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/ti_otx/1.3.1/manifest.yml b/packages/ti_otx/1.3.1/manifest.yml new file mode 100755 index 0000000000..5aef6f8702 --- /dev/null +++ b/packages/ti_otx/1.3.1/manifest.yml @@ -0,0 +1,26 @@ +name: ti_otx +title: AlienVault OTX +version: 1.3.1 +release: ga +description: Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/otx.svg + title: Alienvault OTX + size: 216x216 + type: image/svg+xml +policy_templates: + - name: ti_otx + title: Alienvault OTX + description: Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. + inputs: + - type: httpjson + title: "Ingest threat intelligence indicators from Alienvault OTX via API" + description: "Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent." +owner: + github: elastic/security-external-integrations diff --git a/packages/ti_recordedfuture/0.1.3/changelog.yml b/packages/ti_recordedfuture/0.1.3/changelog.yml new file mode 100755 index 0000000000..dd36fa4103 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/changelog.yml @@ -0,0 +1,21 @@ +# newer versions go on top +- version: "0.1.3" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "0.1.2" + changes: + - description: Add field mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "0.1.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.1.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/2757 diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_recordedfuture/0.1.3/data_stream/threat/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..1e7156ac8c --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -0,0 +1,33 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +{{#if custom_url}} +request.url: "{{ custom_url }}" +{{else}} +request.url: "{{ endpoint }}/{{ entity }}/risklist?format=csv/splunk&gzip=false&list={{ list }}" +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +request.transforms: +{{#if api_token}} +- set: + target: header.X-RFToken + value: {{ api_token }} +{{/if}} +response.decode_as: text/csv +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/agent/stream/logfile.yml.hbs b/packages/ti_recordedfuture/0.1.3/data_stream/threat/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..f2c693bdde --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/agent/stream/logfile.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} + - add_locale: ~ \ No newline at end of file diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml new file mode 100755 index 0000000000..86c06b7a1d --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml @@ -0,0 +1,43 @@ +--- +description: Pipeline to decode CSV risklists from Recorded Future threat intel. +processors: + - csv: + field: event.original + target_fields: + - _tmp_.col0 + - _tmp_.col1 + - _tmp_.col2 + - _tmp_.col3 + - _tmp_.col4 + - drop: + description: 'Drops the CSV header line.' + if: 'ctx._tmp_.col0 == "Name"' + +# This supports the default CSV risklists: +# 4-column for url, domain and IPs. +# 5-column for hash. + - script: + description: Maps the CSV entries to fields. + lang: painless + params: + default: + col0: Name + col1: Risk + col2: RiskString + col3: EvidenceDetails + hash: + col0: Name + col1: Algorithm + col2: Risk + col3: RiskString + col4: EvidenceDetails + source: > + def cols = params[ ctx._tmp_.col4 == null? "default" : "hash" ]; + def src = ctx._tmp_; + def dst = new HashMap(); + for (entry in cols.entrySet()) { + dst[entry.getValue()] = src[entry.getKey()]; + } + ctx['json'] = dst; + - remove: + field: _tmp_ diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..2c2ec01047 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,212 @@ +--- +description: Pipeline for parsing Recorded Future threat intel. +processors: +# +# Set basic ECS fields. +# + - set: + field: ecs.version + value: "8.0" + - set: + field: event.dataset + value: "ti_recordedfuture.threat" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + - set: + field: threat.feed.name + value: "Recorded Future" +# +# TODO: Add dashboard +# +# - set: +# field: threat.feed.dashboard_id +# value: "recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf" + + - rename: + field: message + target_field: event.original + ignore_missing: true + +# +# Decode event.original as JSON if it starts with the "{" character. +# This is the common case when events are ingested from the API, as httpjson +# transforms the CSV to a JSON message. +# + - json: + field: event.original + target_field: json + if: 'ctx.event?.original != null && ctx.event.original.startsWith("{")' + on_failure: + - fail: + message: "Failed decoding message field as JSON: {{{ _ingest.on_failure_message }}}" + +# +# Decode event.original as CSV when the above processor didn't execute. +# This is used when ingesting CSV lines from a file. +# + - pipeline: + name: '{{ IngestPipeline "decode_csv" }}' + if: 'ctx.json == null' + on_failure: + - fail: + message: "Failed decoding message field as CSV: {{{ _ingest.on_failure_message }}}" + +# +# Decode EvidenceDetails column as JSON. +# + - json: + field: json.EvidenceDetails + target_field: _temp_.EvidenceDetails + ignore_failure: true + + - rename: + field: _temp_.EvidenceDetails.EvidenceDetails + target_field: json.evidence_details + ignore_missing: true + +# +# Hash indicators (threat.indicator.type=file) +# As risklist indicators don't have a "type" field, it's necessary +# to detect the kind of indicator in the Name field. +# +# An indicator is of type `hash` when the Algorithm field is present. +# + - set: + field: threat.indicator.type + value: file + if: 'ctx.json.Algorithm != null' + - script: + lang: painless + description: > + Map file hashes. + if: "ctx.json.Algorithm != null" + params: + MD5: md5 + SHA-1: sha1 + SHA-256: sha256 + SHA-384: sha384 + SHA-512: sha512 + source: >- + def key = params[ctx.json.Algorithm]; + if (key == null) { + throw new Exception("Unsupported hash algorithm '" + ctx.json.Algorithm + "'"); + } + def hashes = [key:ctx.json.Name]; + ctx["_hashes"] = hashes; + on_failure: + - append: + field: error.message + value: "Failed to map fileHashes field: {{{ _ingest.on_failure_message }}}" + - rename: + field: _hashes + target_field: threat.indicator.file.hash + ignore_missing: true + +# +# IP indicators (threat.indicator.type=ipvN-addr) +# +# An indicator is of type `ip` if Name is a valid IP address. +# + - convert: + field: json.Name + target_field: threat.indicator.ip + type: ip + ignore_failure: true + if: 'ctx.threat?.indicator?.type == null' + - set: + field: threat.indicator.type + value: ipv4-addr + if: 'ctx.threat?.indicator?.ip != null && !ctx.threat.indicator.ip.contains(":")' + - set: + field: threat.indicator.type + value: ipv6-addr + if: 'ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(":")' + +# +# URL indicators (threat.indicator.type=url) +# An indicator is of type `url` if Name contains a slash character. +# + - set: + field: threat.indicator.type + value: url + if: 'ctx.threat?.indicator?.type == null && ctx.json.Name.contains("/")' + - uri_parts: + field: json.Name + target_field: threat.indicator.url + keep_original: true + if: 'ctx.threat?.indicator?.type == "url"' +# +# Domain indicators (threat.indicator.type=domain) +# This is a catch-all type. +# + - set: + field: threat.indicator.type + value: domain-name + if: 'ctx.threat?.indicator?.type == null' + - set: + field: threat.indicator.url.domain + value: '{{{ json.Name }}}' + ignore_empty_value: true + if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null' + +# +# Normalize Risk +# + - convert: + field: json.Risk + target_field: event.risk_score + ignore_missing: true + type: float + on_failure: + - append: + field: error.message + value: "Risk score `{{{ json.Risk }}}` cannot be converted to float: {{{ _ingest.on_failure_message }}}" + +# +# Fingerprint event: _id = hash(dataset + indicator type + indicator value) +# + - fingerprint: + fields: + - event.dataset + - threat.indicator.type + - json.Name + target_field: "_id" + +# +# Save fields without an ECS mapping under `recordedfuture`. +# + - rename: + field: json.RiskString + target_field: json.risk_string + ignore_missing: true + - rename: + field: json + target_field: recordedfuture + +# +# Cleanup +# + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - recordedfuture.Algorithm + - recordedfuture.EvidenceDetails + - recordedfuture.Name + - recordedfuture.Risk + - _temp_ + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/agent.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/base-fields.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/base-fields.yml new file mode 100755 index 0000000000..1fbc652b8a --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/base-fields.yml @@ -0,0 +1,31 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_recordedfuture +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_recordedfuture.threat +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: Recorded Future +# +# TODO: Add dashboard +# +#- name: threat.feed.dashboard_id +# type: constant_keyword +# description: Dashboard ID used for Kibana CTI UI +# value: recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/beats.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/ecs.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/ecs.yml new file mode 100755 index 0000000000..1a807ca505 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/ecs.yml @@ -0,0 +1,191 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: Port of the request, such as 443. + name: threat.indicator.url.port + type: long +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: threat.indicator.url.query + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: threat.indicator.file.hash.sha512 + type: keyword +- description: Identifies a threat indicator as an email address (irrespective of direction). + name: threat.indicator.email.address + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: |- + Traffic Light Protocol sharing markings. + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + name: threat.indicator.marking.tlp + type: keyword +- description: |- + Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + Expected values are: + * Not Specified + * None + * Low + * Medium + * High + name: threat.indicator.confidence + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: threat.indicator.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.as.organization.name + type: keyword +- description: Longitude and latitude. + name: threat.indicator.geo.location.lat + type: geo_point +- description: Longitude and latitude. + name: threat.indicator.geo.location.lon + type: geo_point +- description: Country ISO code. + name: threat.indicator.geo.country_iso_code + type: keyword diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/fields.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/fields.yml new file mode 100755 index 0000000000..a81fd75d00 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/fields/fields.yml @@ -0,0 +1,21 @@ +- name: recordedfuture + type: group + description: > + Fields for Recorded Future Threat Intel + + fields: + - name: evidence_details + type: flattened + description: > + List of sightings used as evidence for this indicator. + + - name: name + type: keyword + description: > + Indicator value. + + - name: risk_string + type: keyword + description: > + Details of risk rules observed. + diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/manifest.yml b/packages/ti_recordedfuture/0.1.3/data_stream/threat/manifest.yml new file mode 100755 index 0000000000..dfc711d668 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/manifest.yml @@ -0,0 +1,125 @@ +type: logs +title: Recorded Future +streams: + - input: logfile + enabled: false + template_path: logfile.yml.hbs + title: Recorded Future CSV file + description: Reads indicators from a Recorded Future CSV file. + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - recordedfuture + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + template_path: httpjson.yml.hbs + title: Recorded Future risklist + description: Receives indicators from Recorded Future risklist endpoints. + vars: + - name: entity + type: text + title: Entity + description: The type of entity to fetch. One of domain, hash, ip or url. + multi: false + required: true + show_user: true + default: domain + - name: list + type: text + title: List + description: List to fetch for the given entity. + default: default + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval between risklist downloads. + description: Use Go Duration syntax (eg. 1h) + default: "1h" + multi: false + required: true + show_user: true + - name: api_token + type: text + title: API Token + description: Recorded Future API Token (RF_TOKEN). + multi: false + required: true + show_user: true + - name: custom_url + type: url + title: Custom URL + description: URL to download a custom Fusion File. + multi: false + required: false + show_user: false + - name: endpoint + type: url + title: API Endpoint + description: Base API URL. + multi: false + required: true + show_user: false + default: https://api.recordedfuture.com/v2 + - name: proxy_url + type: url + title: Proxy URL + description: Optional proxy server to use. + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - recordedfuture + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_recordedfuture/0.1.3/data_stream/threat/sample_event.json b/packages/ti_recordedfuture/0.1.3/data_stream/threat/sample_event.json new file mode 100755 index 0000000000..b26841f9b8 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/data_stream/threat/sample_event.json @@ -0,0 +1,110 @@ +{ + "@timestamp": "2022-04-11T09:21:48.260Z", + "agent": { + "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0", + "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_recordedfuture.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0" + }, + "elastic_agent": { + "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "dataset": "ti_recordedfuture.threat", + "ingested": "2022-04-11T09:21:49Z", + "kind": "enrichment", + "risk_score": 87, + "timezone": "+00:00", + "type": "indicator" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/rf_url_default.csv" + }, + "offset": 45 + }, + "recordedfuture": { + "evidence_details": [ + { + "Criticality": 1, + "CriticalityLabel": "Unusual", + "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", + "MitigationString": "", + "Name": "defangedURL", + "Rule": "Historically Reported as a Defanged URL", + "Sources": [ + "Ctq", + "idn:fook.news", + "idn:urdupresss.com", + "POs2u-", + "idn:apple.news", + "idn:cryptoinfoos.com.ng", + "g9rk5F", + "idn:thewindowsupdate.com", + "idn:nationalcybersecuritynews.today", + "gBDK5G", + "idn:microsoft.com", + "idn:techsecuritenews.com", + "idn:mblogs.info", + "J6UzbO", + "idn:viralamo.com", + "idn:sellorbuyhomefast.com", + "idn:crazyboy.tech", + "idn:times24h.com", + "idn:buzzfeeg.com", + "idn:dsmenders.com", + "WroSbs", + "idn:vzonetvgh.com" + ], + "Timestamp": "2021-07-20T00:00:00.000Z" + }, + { + "Criticality": 3, + "CriticalityLabel": "Malicious", + "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", + "MitigationString": "", + "Name": "recentAnalystNote", + "Rule": "Recently Reported by Insikt Group", + "Sources": [ + "VKz42X" + ], + "Timestamp": "2021-07-10T00:00:00.000Z" + } + ], + "risk_string": "2/24" + }, + "tags": [ + "forwarded", + "recordedfuture" + ], + "threat": { + "feed": { + "name": "Recorded Future" + }, + "indicator": { + "type": "url", + "url": { + "domain": "144.34.179.162", + "original": "http://144.34.179.162/a", + "path": "/a", + "scheme": "http" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_recordedfuture/0.1.3/docs/README.md b/packages/ti_recordedfuture/0.1.3/docs/README.md new file mode 100755 index 0000000000..b6d3fb5301 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/docs/README.md @@ -0,0 +1,215 @@ +# Recorded Future Integration + +The Recorded Future integration fetches _risklists_ from the Recorded Future API. +It supports `domain`, `hash`, `ip` and `url` entities. + +In order to use it you need to define the `entity` and `list` to fetch. Check with +Recorded Future for the available lists for each entity. To fetch indicators +from multiple entities, it's necessary to define one integration for each. + +Alternatively, it's also possible to use the integration to fetch custom Fusion files +by supplying the URL to the CSV file as the _Custom_ _URL_ configuration option. + +An example event for `threat` looks as following: + +```json +{ + "@timestamp": "2022-04-11T09:21:48.260Z", + "agent": { + "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0", + "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_recordedfuture.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0" + }, + "elastic_agent": { + "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "dataset": "ti_recordedfuture.threat", + "ingested": "2022-04-11T09:21:49Z", + "kind": "enrichment", + "risk_score": 87, + "timezone": "+00:00", + "type": "indicator" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/rf_url_default.csv" + }, + "offset": 45 + }, + "recordedfuture": { + "evidence_details": [ + { + "Criticality": 1, + "CriticalityLabel": "Unusual", + "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", + "MitigationString": "", + "Name": "defangedURL", + "Rule": "Historically Reported as a Defanged URL", + "Sources": [ + "Ctq", + "idn:fook.news", + "idn:urdupresss.com", + "POs2u-", + "idn:apple.news", + "idn:cryptoinfoos.com.ng", + "g9rk5F", + "idn:thewindowsupdate.com", + "idn:nationalcybersecuritynews.today", + "gBDK5G", + "idn:microsoft.com", + "idn:techsecuritenews.com", + "idn:mblogs.info", + "J6UzbO", + "idn:viralamo.com", + "idn:sellorbuyhomefast.com", + "idn:crazyboy.tech", + "idn:times24h.com", + "idn:buzzfeeg.com", + "idn:dsmenders.com", + "WroSbs", + "idn:vzonetvgh.com" + ], + "Timestamp": "2021-07-20T00:00:00.000Z" + }, + { + "Criticality": 3, + "CriticalityLabel": "Malicious", + "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", + "MitigationString": "", + "Name": "recentAnalystNote", + "Rule": "Recently Reported by Insikt Group", + "Sources": [ + "VKz42X" + ], + "Timestamp": "2021-07-10T00:00:00.000Z" + } + ], + "risk_string": "2/24" + }, + "tags": [ + "forwarded", + "recordedfuture" + ], + "threat": { + "feed": { + "name": "Recorded Future" + }, + "indicator": { + "type": "url", + "url": { + "domain": "144.34.179.162", + "original": "http://144.34.179.162/a", + "path": "/a", + "scheme": "http" + } + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| recordedfuture.evidence_details | List of sightings used as evidence for this indicator. | flattened | +| recordedfuture.name | Indicator value. | keyword | +| recordedfuture.risk_string | Details of risk rules observed. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| threat.indicator.as.organization.name | Organization name. | keyword | +| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | +| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point | +| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | + diff --git a/packages/ti_recordedfuture/0.1.3/img/logo.svg b/packages/ti_recordedfuture/0.1.3/img/logo.svg new file mode 100755 index 0000000000..9bb0517562 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/img/logo.svg @@ -0,0 +1,21 @@ + + + + + + + + + + + + diff --git a/packages/ti_recordedfuture/0.1.3/manifest.yml b/packages/ti_recordedfuture/0.1.3/manifest.yml new file mode 100755 index 0000000000..546984df98 --- /dev/null +++ b/packages/ti_recordedfuture/0.1.3/manifest.yml @@ -0,0 +1,29 @@ +name: ti_recordedfuture +title: Recorded Future +version: 0.1.3 +release: beta +description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/logo.svg + title: Recorded Future + size: 216x216 + type: image/svg+xml +policy_templates: + - name: ti_recordedfuture + title: Recorded Future + description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. + inputs: + - type: httpjson + title: "Collect threat intelligence from Recorded Future risklists API." + description: "Use RecordedFuture API to fetch a risklist" + - type: logfile + title: "Collect threat intelligence from CSV file." + description: "Load indicators from a CSV file" +owner: + github: elastic/security-external-integrations diff --git a/packages/ti_threatq/1.3.1/changelog.yml b/packages/ti_threatq/1.3.1/changelog.yml new file mode 100755 index 0000000000..df4574385c --- /dev/null +++ b/packages/ti_threatq/1.3.1/changelog.yml @@ -0,0 +1,46 @@ +# newer versions go on top +- version: "1.3.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.2.2" + changes: + - description: Add event.created field mapping + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2450 +- version: "1.1.0" + changes: + - description: Add threat.feed ECS fields and dashboard + type: enhancement + link: https://github.com/elastic/integrations/pull/2543 +- version: "1.0.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.0.1" + changes: + - description: Bumping minimum version + type: enhancement + link: https://github.com/elastic/integrations/pull/2063 +- version: "1.0.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1946 diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_threatq/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..f03799a9c9 --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -0,0 +1,56 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} + +request.url: {{host}}/api/indicators/query/hash/{{data_collection_id}} + +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: +- set: + target: url.params.sort + value: updated_at +- set: + target: url.params.limit + value: 100 +- set: + target: url.params.cursorMark + value: '[[.cursor.cursor_mark]]' + default: "*" +cursor: + cursor_mark: + ignore_empty_value: true + value: '[[.last_response.body.nextCursorMark]]' +response.request_body_on_pagination: true + +response.split: + target: body.data + fail_on_template_error: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_threatq/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7b3718fcaa --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,341 @@ +--- +description: Pipeline for parsing ThreatQ Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.2.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ############### + # Parse dates # + ############### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.id + - json.indicator_id + target_field: "_id" + ignore_missing: true + - date: + target_field: "@timestamp" + field: "json.updated_at" + formats: + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.json.updated_at != null" + ignore_failure: true + - date: + target_field: "threatq.created_at" + field: "json.created_at" + formats: + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.json.created_at != null" + ignore_failure: true + - date: + target_field: "threatq.expires_at" + field: "json.expires_at" + formats: + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.json.expires_at != null" + ignore_failure: true + - date: + target_field: "threatq.expires_calculated_at" + field: "json.expires_calculated_at" + formats: + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.json.expires_calculated_at != null" + ignore_failure: true + - date: + target_field: "threatq.published_at" + field: "json.published_at" + formats: + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.json.published_at != null" + ignore_failure: true + + ##################### + # Threat ECS Fields # + ##################### + - rename: + field: json.type.name + target_field: threat.indicator.type + ignore_missing: true + - rename: + field: json.description + target_field: threat.indicator.description + ignore_missing: true + - script: + lang: painless + if: ctx.json?.score != null + description: > + Normalize confidence level. + source: > + def value = ctx.json.score; + if (value <= 0.0 || value > 100.0) { + ctx.threat.indicator.confidence = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx.threat.indicator.confidence = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx.threat.indicator.confidence = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx.threat.indicator.confidence = "High"; + return; + } + - rename: + field: json.status.name + target_field: threatq.status + ignore_missing: true + - rename: + field: json.value + target_field: threatq.indicator_value + ignore_missing: true + + ######################################### + # Map indicator types and values to ECS # + ######################################### + + # Indicator type: Email Address + - set: + field: threat.indicator.email.address + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" + ignore_empty_value: true + - set: + field: threat.indicator.type + value: email-addr + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" + + # Indicator type: FQDN + - set: + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" + ignore_empty_value: true + - set: + field: threat.indicator.type + value: domain-name + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" + + # Indicator type: IP Address + - set: + field: threat.indicator.ip + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" + ignore_empty_value: true + + - set: + field: threat.indicator.type + value: ipv4-addr + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" + + # Indicator type: IPv6 Address + - set: + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" + ignore_empty_value: true + - set: + field: threat.indicator.type + value: ipv6-addr + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" + + # Indicator type: MD5 + - set: + field: threat.indicator.file.hash.md5 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" + ignore_empty_value: true + - set: + field: threat.indicator.type + value: file + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" + + # Indicator type: SHA-1 + - set: + field: threat.indicator.file.hash.sha1 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" + ignore_empty_value: true + - set: + field: threat.indicator.type + value: file + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" + + # Indicator type: SHA-256 + - set: + field: threat.indicator.file.hash.sha256 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" + ignore_empty_value: true + - set: + field: threat.indicator.type + value: file + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" + + # Indicator type: SHA-512 + - set: + field: threat.indicator.file.hash.sha512 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" + ignore_empty_value: true + - set: + field: threat.indicator.type + value: file + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" + + # Indicator type: URL + - uri_parts: + field: threatq.indicator_value + target_field: threat.indicator.url + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL' && ctx.threatq?.indicator_value != null" + remove_if_successful: true + - set: + field: threat.indicator.type + value: url + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL'" + + # Indicator type: x509 Serial + - set: + field: threat.indicator.x509.serial_number + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'x509 Serial'" + ignore_empty_value: true + + ################################### + # Map indicator providers and TLP # + ################################### + - script: + if: "ctx.json?.sources != null && ctx.json?.sources instanceof List && ctx.json?.sources.size() > 0" + lang: painless + description: "Extract TLP and providers from source" + source: |- + def providers = new ArrayList(); + def tlps = new ArrayList(); + for (source in ctx.json.sources) { + if (source == null) { + return; + } + if (source.containsKey("provider") && source["provider"] != null) { + providers.add(source["provider"]); + } + if (source.containsKey("tlp_name") && source["tlp_name"] != null) { + tlps.add(source["tlp_name"]); + } + } + if (tlps.size() > 0) { + if (ctx.threat.indicator.marking == null) { + ctx.threat.indicator.marking = new HashMap(); + } + ctx.threat.indicator.marking.tlp = tlps; + } + if (providers.size() > 0) { + if (ctx.threat.indicator.provider == null) { + ctx.threat.indicator.provider = new HashMap(); + } + ctx.threat.indicator.provider = providers; + } + + ############################ + # Map indicator attributes # + ############################ + - foreach: + description: Change attribute names to lowercase + field: json.attributes + ignore_missing: true + processor: + lowercase: + field: "_ingest._value.name" + - foreach: + description: Replaces spaces with underscore in attribute names + field: json.attributes + ignore_missing: true + processor: + gsub: + field: "_ingest._value.name" + pattern: " " + replacement: "_" + - foreach: + description: Append attributes + field: json.attributes + ignore_missing: true + processor: + append: + field: threatq.attributes.{{{ _ingest._value.name }}} + value: "{{{ _ingest._value.value }}}" + + ############################# + # Map indicator adversaries # + ############################# + - foreach: + field: json.adversaries + ignore_missing: true + processor: + append: + field: threatq.adversaries + value: "{{{ _ingest._value.name }}}" + + ###################### + # Cleanup processors # + ###################### + # Setting indicator type to unknown if it does not match anything + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + - script: + lang: painless + if: ctx.threat != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - json + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/fields/agent.yml b/packages/ti_threatq/1.3.1/data_stream/threat/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/fields/base-fields.yml b/packages/ti_threatq/1.3.1/data_stream/threat/fields/base-fields.yml new file mode 100755 index 0000000000..701a58f151 --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_threatq +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: ThreatQuotient +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848 +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_threatq.threat +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/fields/beats.yml b/packages/ti_threatq/1.3.1/data_stream/threat/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/fields/ecs.yml b/packages/ti_threatq/1.3.1/data_stream/threat/fields/ecs.yml new file mode 100755 index 0000000000..fc1ccd5f4a --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/fields/ecs.yml @@ -0,0 +1,172 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- name: threat.feed.name + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: |- + Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + Expected values are: + * Not Specified + * None + * Low + * Medium + * High + name: threat.indicator.confidence + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: Port of the request, such as 443. + name: threat.indicator.url.port + type: long +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: threat.indicator.url.query + type: keyword +- description: Identifies a threat indicator as an email address (irrespective of direction). + name: threat.indicator.email.address + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: threat.indicator.file.hash.sha512 + type: keyword +- description: |- + Traffic Light Protocol sharing markings. + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + name: threat.indicator.marking.tlp + type: keyword diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/fields/fields.yml b/packages/ti_threatq/1.3.1/data_stream/threat/fields/fields.yml new file mode 100755 index 0000000000..d22e23df8b --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/fields/fields.yml @@ -0,0 +1,51 @@ +- name: threatq + type: group + description: > + Fields for ThreatQ indicators + + fields: + - name: updated_at + type: date + description: > + Last modification time + + - name: created_at + type: date + description: > + Object creation time + + - name: expires_at + type: date + description: > + Expiration time + + - name: expires_calculated_at + type: date + description: > + Expiration calculation time + + - name: published_at + type: date + description: > + Object publication time + + - name: status + type: keyword + description: > + Object status within the Threat Library + + - name: indicator_value + type: keyword + description: > + Original indicator value + + - name: adversaries + type: keyword + description: > + Adversaries that are linked to the object + + - name: attributes + type: flattened + description: > + These provide additional context about an object + diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/manifest.yml b/packages/ti_threatq/1.3.1/data_stream/threat/manifest.yml new file mode 100755 index 0000000000..060ab47162 --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/manifest.yml @@ -0,0 +1,100 @@ +type: logs +title: ThreatQ +streams: + - input: httpjson + vars: + - name: host + type: text + title: ThreatQ hostname + multi: false + required: true + show_user: true + default: https://threatqexample.com + description: The hostname of the ThreatQ instance. + - name: client_id + type: text + title: ThreatQ Oauth2 Client ID + multi: false + required: true + show_user: true + description: The Client ID used to access the ThreatQ instance. + - name: client_secret + type: password + title: ThreatQ Oauth2 Client Secret + multi: false + required: true + show_user: true + description: The Client ID used to access the ThreatQ instance. + - name: token_url + type: text + title: ThreatQ Oauth2 Token URL + multi: false + required: true + show_user: true + description: The Token URL used for Oauth2 Authentication. + default: https://threatqexample.com/api/token + - name: data_collection_id + type: text + title: ThreatQ Collection ID + multi: false + required: true + show_user: true + description: The ID of the collection to retrieve data from. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + default: | + #verification_mode: none + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - threatq-threat + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: ThreatQuotient + description: Collect indicators from the ThreatQuotient API diff --git a/packages/ti_threatq/1.3.1/data_stream/threat/sample_event.json b/packages/ti_threatq/1.3.1/data_stream/threat/sample_event.json new file mode 100755 index 0000000000..b55645b939 --- /dev/null +++ b/packages/ti_threatq/1.3.1/data_stream/threat/sample_event.json @@ -0,0 +1,66 @@ +{ + "@timestamp": "2021-10-01T18:36:03.000Z", + "agent": { + "ephemeral_id": "12c946b4-2bf4-4d07-8aec-d28310ed16c8", + "id": "394964aa-5974-455c-bea7-5c0b89b470bd", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_threatq.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "394964aa-5974-455c-bea7-5c0b89b470bd", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T09:27:35.244Z", + "dataset": "ti_threatq.threat", + "ingested": "2022-04-11T09:27:36Z", + "kind": "enrichment", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":5,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893068,\"indicator_id\":106767,\"name\":\"Contact\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca\"},{\"attribute_id\":9,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893069,\"indicator_id\":106767,\"name\":\"Router Port\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"9000\"},{\"attribute_id\":6,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893070,\"indicator_id\":106767,\"name\":\"Flags\",\"touched_at\":\"2021-10-02 18:36:08\",\"updated_at\":\"2021-10-02 18:36:08\",\"value\":\"ERDV\"}],\"class\":\"network\",\"created_at\":\"2021-10-01 18:36:03\",\"expires_calculated_at\":\"2021-10-23 18:40:17\",\"hash\":\"69beef49fdbd1f54eef3cab324c7b6cf\",\"id\":106767,\"published_at\":\"2021-10-01 18:36:03\",\"score\":0,\"sources\":[{\"created_at\":\"2021-10-01 18:36:06\",\"creator_source_id\":12,\"id\":3699669,\"indicator_id\":106767,\"indicator_status_id\":1,\"indicator_type_id\":15,\"name\":\"www.dan.me.uk Tor Node List\",\"published_at\":\"2021-10-01 18:36:06\",\"reference_id\":37,\"source_id\":12,\"source_type\":\"connectors\",\"updated_at\":\"2021-10-24 18:36:10\"}],\"status\":{\"description\":\"Poses a threat and is being exported to detection tools.\",\"id\":1,\"name\":\"Active\"},\"status_id\":1,\"touched_at\":\"2021-10-24 18:36:10\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2021-10-01 18:36:03\",\"value\":\"107.189.1.90\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "threatq-threat" + ], + "threat": { + "indicator": { + "confidence": "None", + "ip": "107.189.1.90", + "type": "ipv4-addr" + } + }, + "threatq": { + "attributes": { + "contact": [ + "email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca" + ], + "flags": [ + "ERDV" + ], + "router_port": [ + "9000" + ] + }, + "created_at": "2021-10-01T18:36:03.000Z", + "expires_calculated_at": "2021-10-23T18:40:17.000Z", + "indicator_value": "107.189.1.90", + "published_at": "2021-10-01T18:36:03.000Z", + "status": "Active" + } +} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.1/docs/README.md b/packages/ti_threatq/1.3.1/docs/README.md new file mode 100755 index 0000000000..cff24c8d1b --- /dev/null +++ b/packages/ti_threatq/1.3.1/docs/README.md @@ -0,0 +1,172 @@ +# ThreatQuotient Integration + +The ThreatQuotient integration uses the available REST API to retrieve indicators and Threat Intelligence. + +## Logs + +### Threat + +The ThreatQ integration requires you to set a valid URL, combination of Oauth2 credentials and the ID of the collection to retrieve +indicators from. +By default the indicators will be collected every 1 minute, and deduplication is handled by the API itself. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| threatq.adversaries | Adversaries that are linked to the object | keyword | +| threatq.attributes | These provide additional context about an object | flattened | +| threatq.created_at | Object creation time | date | +| threatq.expires_at | Expiration time | date | +| threatq.expires_calculated_at | Expiration calculation time | date | +| threatq.indicator_value | Original indicator value | keyword | +| threatq.published_at | Object publication time | date | +| threatq.status | Object status within the Threat Library | keyword | +| threatq.updated_at | Last modification time | date | + + +An example event for `threat` looks as following: + +```json +{ + "@timestamp": "2021-10-01T18:36:03.000Z", + "agent": { + "ephemeral_id": "12c946b4-2bf4-4d07-8aec-d28310ed16c8", + "id": "394964aa-5974-455c-bea7-5c0b89b470bd", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_threatq.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "394964aa-5974-455c-bea7-5c0b89b470bd", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T09:27:35.244Z", + "dataset": "ti_threatq.threat", + "ingested": "2022-04-11T09:27:36Z", + "kind": "enrichment", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":5,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893068,\"indicator_id\":106767,\"name\":\"Contact\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca\"},{\"attribute_id\":9,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893069,\"indicator_id\":106767,\"name\":\"Router Port\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"9000\"},{\"attribute_id\":6,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893070,\"indicator_id\":106767,\"name\":\"Flags\",\"touched_at\":\"2021-10-02 18:36:08\",\"updated_at\":\"2021-10-02 18:36:08\",\"value\":\"ERDV\"}],\"class\":\"network\",\"created_at\":\"2021-10-01 18:36:03\",\"expires_calculated_at\":\"2021-10-23 18:40:17\",\"hash\":\"69beef49fdbd1f54eef3cab324c7b6cf\",\"id\":106767,\"published_at\":\"2021-10-01 18:36:03\",\"score\":0,\"sources\":[{\"created_at\":\"2021-10-01 18:36:06\",\"creator_source_id\":12,\"id\":3699669,\"indicator_id\":106767,\"indicator_status_id\":1,\"indicator_type_id\":15,\"name\":\"www.dan.me.uk Tor Node List\",\"published_at\":\"2021-10-01 18:36:06\",\"reference_id\":37,\"source_id\":12,\"source_type\":\"connectors\",\"updated_at\":\"2021-10-24 18:36:10\"}],\"status\":{\"description\":\"Poses a threat and is being exported to detection tools.\",\"id\":1,\"name\":\"Active\"},\"status_id\":1,\"touched_at\":\"2021-10-24 18:36:10\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2021-10-01 18:36:03\",\"value\":\"107.189.1.90\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "threatq-threat" + ], + "threat": { + "indicator": { + "confidence": "None", + "ip": "107.189.1.90", + "type": "ipv4-addr" + } + }, + "threatq": { + "attributes": { + "contact": [ + "email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca" + ], + "flags": [ + "ERDV" + ], + "router_port": [ + "9000" + ] + }, + "created_at": "2021-10-01T18:36:03.000Z", + "expires_calculated_at": "2021-10-23T18:40:17.000Z", + "indicator_value": "107.189.1.90", + "published_at": "2021-10-01T18:36:03.000Z", + "status": "Active" + } +} +``` \ No newline at end of file diff --git a/packages/ti_threatq/1.3.1/img/threatq.svg b/packages/ti_threatq/1.3.1/img/threatq.svg new file mode 100755 index 0000000000..0da7d32522 --- /dev/null +++ b/packages/ti_threatq/1.3.1/img/threatq.svg @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json new file mode 100755 index 0000000000..f4adcae2b5 --- /dev/null +++ b/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the ThreatQ integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[ThreatQ Overview (This Page)](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848)** \\n[ThreatQ Files](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848) \\n[ThreatQ URLs](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848) \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the ThreatQ integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from ThreatQ. \\n\\nIt shows the ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from ThreatQ.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"data_stream.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"title\":\"Total Indicators per Datastream [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs ThreatQ] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", + "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json new file mode 100755 index 0000000000..0fa3fc0ee3 --- /dev/null +++ b/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the ThreatQ integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[ThreatQ Overview](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848) \\n**[ThreatQ Files (This Page)](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848)** \\n[ThreatQ URLs](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848) \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":26,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":32,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":19,\"x\":7,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":26,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs ThreatQ] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + }, + { + "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", + "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json new file mode 100755 index 0000000000..1b50c92265 --- /dev/null +++ b/packages/ti_threatq/1.3.1/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the ThreatQ integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[ThreatQ Overview ](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848) \\n[ThreatQ Files](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848) \\n**[ThreatQ URLs (This Page)](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848)** \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs ThreatQ] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", + "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.1/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.1/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json new file mode 100755 index 0000000000..be8a15d6e9 --- /dev/null +++ b/packages/ti_threatq/1.3.1/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "ThreatQ" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.1/manifest.yml b/packages/ti_threatq/1.3.1/manifest.yml new file mode 100755 index 0000000000..d1302b076c --- /dev/null +++ b/packages/ti_threatq/1.3.1/manifest.yml @@ -0,0 +1,26 @@ +name: ti_threatq +title: ThreatQuotient +version: 1.3.1 +release: ga +description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/threatq.svg + title: ThreatQuotient + size: 600x600 + type: image/svg+xml +policy_templates: + - name: ti_threatq + title: ThreatQuotient + description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. + inputs: + - type: httpjson + title: "Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent." + description: "Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent." +owner: + github: elastic/security-external-integrations